Threat actors have leaked 1 million stolen credit cards for free online as a way to promote a fairly new and increasingly popular cybercriminal site dedicated to…selling payment-card credentials.
Researchers from threat intelligence firm Cyble noticed the leak of the payment-card data during a “routine monitoring of cybercrime and Dark Web marketplaces,” researchers said in a post published over the weekend. The cards were published on an underground card-selling market, AllWorld.Cards, and stolen between 2018 and 2019, according to info posted on the forum.
The leaked credit cards include the following fields: Credit-card number, expiration date, CVV, name, country, state, city, address, ZIP code, email and phone number, according to threat actors.
AllWorld.Cards appears to be a relatively new player to the market for selling stolen credit-card data on the Dark Web, according to Cyble. “Our analysis suggests that this market has been around since May 2021 and is available on a Tor channel as well,” according to the post.
The black market for stolen credit cards is a massive illegal business, with cybercriminals getting their hands on card data in a number of ways. Point-of-sale card skimmers, targeted Magecart attacks on websites and info-stealing trojans are among their top tools for stealing credit-card data.
Indeed, in the last six months of 2020 alone, threat actors offered more than 45 million compromised cards for sale in underground credit-card markets monitored by security firm Cybersixgill, the company said in a report. These cards are then used by cybercriminals to make online purchases, including buying gift cards, that are hard to track back to them.
How Many Cards Are Still Active?
The curators of AllWorld.Cards began flogging their cybercriminal services on carding sites in early June, ostensibly to drum up new business, researchers from Italian firm D3 Lab noted in a separate blog post detailing the leak, published last Friday.
“It is conceivable that the data was shared for free to entice other criminal actors to frequent their site…by purchasing additional stolen data from unsuspecting victims,” according to the post (machine-translated from Italian).
There is some uncertainty about how many of the cards are actually still active and available for cybercriminals to use. Cyble researchers noted that threat actors claimed that 27 percent, according to a random sampling of 98 cards, are still active and can be used for illegal purchasing.
However, according to D3 Lab’s own analysis—which involved sending the credit-card numbers to client banks “to carry out the appropriate mitigation actions” — researchers found that closer to 50 percent of the cards are “still operational, not yet identified as compromised,” they said.
Cyble posted a list of the top 500 banks affected by the leak of stolen credit cards in descending order. Of the banks, 72,937 of the cards were associated the State Bank of India; 38,010 with Banco Santander (Brazil); 30480 with a U.S. bank based in Ohio called Sutton Bank; 27,441 with JP Morgan Chase Bank N.A.; and 24,307 with BBVA Bancomer S.A., a bank based in Mexico.
Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs. Find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.