623K Payment Cards Stolen from Cybercrime Forum

The database was subsequently leaked elsewhere, imperiling consumers from the U.S. and around the world.

The Swarmshop cyber-underground “card shop” has been hit by hackers, who lifted the site’s database of stolen payment-card data and leaked it online.

That’s according to researchers at Group-IB, who said that the database was posted on a rival underground forum.

Card shops, are online cybercriminal forums where stolen payment-card data is bought and sold. Researchers said the database in question contains 623,036 payment-card records from card-issuers in Brazil, Canada, China, France, Mexico, Saudi Arabia, Singapore, the U.K. and the U.S. The lion’s share of the ill-gotten card data came from the U.S., they noted (63 percent).

The database also has 498 sets of online banking account credentials and 69,592 sets of U.S. Social Security Numbers and Canadian Social Insurance Numbers, according to Group-IB.

And finally, there are 12,344 sets of data for card shop admins, sellers and buyers, including user names, hashed passwords, contact details, sales activity and current balances, researchers said.

The firm’s analysis of the database found that the information was new, judging by the latest user activity timestamps.

“Hackers have been hacking other hackers for decades. What better way to gain access to new hacking tools, dumps, cards, personally identifiable information (PII) and other items of value than hacking the people that are stealing it in the first place,” said Tyler Shields, CMO at JupiterOne, said via email. “It comes as no surprise that there have been multiple successful breaches against Swarmshop. Cybercriminals have trouble with security just like everyone else. It just goes to show you that cybersecurity is a difficult problem no matter who you are.”

Hacking the Hackers

Swarmshop is a mid-size, Russian-speaking “neighborhood” store that has been operating since at least April 2019. According to Group-IB, the number of Swarmshop users is now 2.5 times larger than it was in January of 2020, with the volume of traded payment records increasing from 485,617 pieces to 623,036 last month.

In March, when it was hacked, the total amount deposited within buyer accounts was $18,145.73.

“Users of card shops do not store large amounts of money on their accounts and top up the balance to make payments if necessary,” explained the researchers, in a posting on Thursday. “The analysis showed that It’s fair to assume that card shop owners’ net profits have also grown exponentially.”

“While the source of the breach remains unclear, the exposed records show that two card shop users attempted to inject a malicious script searching for website vulnerabilities in the contact information field,” researchers said. “It’s impossible to determine if the two events are connected to the breach.”

Swarmshop has been targeted by fellow cybercriminals before: Back in January 2020, someone claimed to be selling the Swarmshop user database and posted a screenshot allegedly from the card shop’s admin panel. It’s unclear if the same perpetrators are at work in the latest incident.

“Although the source remains unknown, it must be one of those revenge hacks cases,” Group-IB researchers said. “This is a major reputation hit for the card shop as all the sellers lost their goods and personal data. The shop is unlikely to restore its status.”

Chris Morales, CISO at Netenrich, postulated that the hack could have been for glory.

“This once again demonstrates that all businesses have the same concern of compromise, both legal and illegal,” he said via email. “Honor among thieves has always been a Hollywood myth. Above and beyond the normal for profit attack motive we most often focus on, ego is still very much a motive too.”

Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event. 

 

 

Suggested articles

EU’s Green Pass Vaccination ID Private Key Leaked

UPDATE: French & Polish authorities found no sign of cryptographic compromise in the leak of the private key used to sign the vaccine passports and to create fake passes for Mickey Mouse and Adolf Hitler, et al.

Grief Ransomware Targets NRA

Grief, a ransomware group with ties to Russia-based Evil Corp, claims to have stolen data from the gun-rights group and has posted files on its dark web site. 

WordPress Plugin Bug Lets Subscribers Wipe Sites

The flaw, found in the Hashthemes Demo Importer plugin, allows any authenticated user to exsanguinate a vulnerable WordPress site, deleting nearly all database content and uploaded media.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.