Hacking Back? BriansClub Dark Web Attack a Boon for Banks

briansclub hack

The theft of 26 million card records from an underground site offers valuable intel for banks.

UPDATE

A Dark Web “carding store” called BriansClub, which specializes in selling stolen payment card information, has itself become a victim, with thieves making off with 26 million credit- and debit-card records. The site appears to be a target of roundabout “hacking back” by a competitor , who shared the data with financial institutions in an effort to cut off any potential card fraud.

The data set represents everything uploaded to BriansClub in the last four years, according to independent researcher Brian Krebs (ironically, the forum’s namesake). Of those, 14 million of the payments cards are unexpired, Krebs said in a posting this week.

The marketplace’s wares come in the form of digital card information that could be encoded on a card with a magnetic strip in order to produce counterfeit payment cards. Its total inventory, according to the going black market rates analyzed by Flashpoint, is worth $414 million. However, Krebs also noted that BriansClub has only sold 9.1 million stolen cards in that time period (granted, still earning the site $126 million worth of Bitcoin).


“It’s interesting to note that Krebs thinks the supply of stolen cards for sale on BriansClub outstrips demand – there are literally more stolen credit cards up for sale than criminals know what to do with,” Paul Bischoff, privacy advocate with Comparitech, said via email.

Meanwhile researchers noted that the data that has been delivered to banks and card issuers provides invaluable intel for them.

“This hack is a great reminder of the dollar amounts at risk for all stakeholders – consumers, credit card companies and banks – with credit card thefts, and the need to understand how to mitigate the potential financial loss,” Jack Kudale, founder and CEO of Cowbell Cyber, told Threatpost. “Visibility into Dark Web exposure can help financial services companies stay current on the actual level of cyber insurance coverage they need.”

After being contacted by Krebs, the BriansClub site administrator confirmed that the site’s data center had been hacked.

“From a broader security perspective, the incident is classed as a breach, and while the data that was taken was obtained by criminal activity, legitimate businesses should take note,” Jens Monrad, head of Intelligence of EMEA at FireEye, said via email. “When we talk about the theft of data, it is important to differentiate from threats in the real world, where there is a chance of getting what was stolen back. In cyberspace, the value of data from a threat actor perspective will either be for financial gain, to fuel further attacks or cause havoc in the interest of foreign governments. The data will not be ‘returned’ so it becomes harder to anticipate future threats down the line. Therefore, it’s important to detect and respond to a cyberattack quickly, so the consequences of critical or sensitive data theft do not ripple across the organization in weeks, months of years to come.”

It’s unknown who the perpetrators are in the re-stealing of the information, but the situation is sure to shake up the Dark Web landscape, according to Terence Jackson, CISO at Thycotic.

“The immediate impact will be a positive one for consumers since the data has been shared with the proper entities that can reissue the affected cards,” he told Threatpost. “As far as what this means for the Dark Web, I suspect another site will take its place.”

Monrad added, “At this time, the source of the breach is unclear. It is not uncommon for rival underground actors to target their peers, both to demonstrate their skills but also to take out the competition. In the past, significant breaches of underground sites have aided in law enforcement activity.”

In a follow-up post, Krebs said that the administrator of Russian language cybercrime forum Verified, the hack of BriansClub “was perpetrated by a fairly established ne’er-do-well who uses the nickname ‘MrGreen’ and runs a competing card shop by the same name.”

It was originally conjectured that perhaps a white-hat or corporate resource carried out the attack – which brings up the hack-back discussion once again. The concept of hacking back – i.e., offensive cybersecurity efforts – has been a controversial one for some time. Opponents have twin beefs when it comes to the idea: Some are questioning whether legitimizing offensive attacks will open the door to a new kind of corporate warfare; and others are concerned that it would have a chilling effect on cyber-research by criminalizing white-hat activity like vulnerability research and pen-testing.

Hacking back was in the limelight especially last year, when the governor of Georgia vetoed a bill that would make it legal in some instances to do so. It would have allowed “active defense measures that are designed to prevent or detect unauthorized computer access.”

“It will be interesting to see if other Dark Web sites become targets of hacking back,” Jackson said.

This posting was was updated at 6 p.m. ET on Oct. 17, to reflect the information on who carried out the attack.

What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.

Suggested articles