Keep calm and save your data: Group-IB analyzed threats to banking customers

Group-IB, a Singapore-based company that specializes in preventing cyberattacks, today presented its annual «Hi-Tech Crime Trends 2019-2020» report, highlighting the main trends of cybercriminal world, as part of international conference CyberCrimeCon’2019 in Singapore. Group-IB researchers have analyzed underground cardshops selling compromised card data and identified several key trends related to attacks on banking customers. Complex banking Trojans have given way to a new threat JavaScript sniffers, which have greatly contributed to the fact that in 2019, carding became the fastest-growing segment among threats to banking customers.

General trends of the carding market

Group-IB’s report covers the period from H2 2018 to H1 2019 and compares it to H2 2017 H1 2018. By leveraging its own infrastructure for monitoring of underground forums and cardshops, Group-IB has collected comprehensive information about the carding market and is capable of identifying various anomalies. Over the review period, the number of compromised cards uploaded to underground forums increased from 27.1 million to 43.8 million. The size of the carding market, in turn, grew by 33 percent and amounted to USD 879.7 million. The average price for raw card data also known as CVVs (card number, expiration date, cardholder name, CVV) rose from USD 9 to USD 14, while the average price for a dump (the information contained in the magnetic stripe) fell from USD 33 to USD 22.

Compromised card data related to US banks turned out to be most widespread and therefore the cheapest on the market, with the price for up-to-date raw card data of such cards ranging between USD 8 and USD 10 and the price for dumps costing between USD 16 and USD 24. Meanwhile, an average price for raw card data belonging to the customers of European banks is much higher and totals USD 18-21, while the price for relevant dumps ranges between USD 100 and 120. The compromised card data of APAC banks’ customers also falls within high price category, with raw card data costing USD 17-20 per card and dumps USD 80-124, because they are less often offered for sale on underground forums.

Dumps still account for 80 percent of the carding market, with at least 31.2 million of dumps having been put up for sale in the corresponding period, which is a 46-percent growth year-on-year. The major method to compromise the magnetic stripe card data (dumps) was infecting computers connected to POS (point of sale) terminals with Trojans that collect payment card data from RAM (random access memory). Over the given period, four new POS Trojans have been identified, which had been actively used in attacks but remained unnoticed.

The sale of raw card data is also on rise today, having increased by 19 percent in the corresponding period, one of the key reasons behind this trend could be JavaScript-sniffers (JS-sniffers), which is a type of malware designed to steal customer payment data from online stores: payment card numbers, cardholder names, addresses, user credentials etc. The compromised payment card data is either being put up for sale on underground cardshops or used by cybercriminals to purchase valuable items. In 2019 alone, Group-IB experts identified at least 38 different families of JS-sniffers, with this number continuously growing and already exceeding the number of banking Trojans for PC and Android.

JS-sniffers: new trend behind the growth of the carding market

The United States ranks first in terms of the number of cards compromised as a result of the activity of JS-sniffers, followed by the United Kingdom. The UK ranking second is mainly due to a British Airways data breach in late 2018, during which its website was infected with a JS-sniffer. As a result, the data of over 300,000 customers was compromised, and a fine of USD 229 million was then imposed on the airline due to the breach.

JS-sniffers represent a threat to other countries as well, especially to those where the 3D Secure protocol is not widely implemented. Most JS-sniffer families are designed to steal information from the payment forms from the websites running on specific CMS (content management systems), however there are also universal ones they can steal information from payment forms and do not require modifications tailored to specific websites. MagentoName and CoffeMokko families of JS-sniffers, both of which were involved in massive infection campaigns, are thought to be the most aggressive, with over 440,000 people visiting the websites infected with these JS sniffers every day. The JS-sniffer family that comes third in this ranking is WebRank, which infected website that together attracted 250,000 visitors. The analysis of attacks on APAC online shoppers indicates that there are at least 11 families of JS-sniffers that are used to infect websites in the region: MagentoName, Inter, addtoev Group, Qoogle, Illum, CoffeMokko, EUTag, WebRank, ImageID, TokenLogin и OnlineStatus.

Using its own tools for underground forums and cardshops monitoring, Group-IB discovered that the biggest leaks of bank card data are related to the compromise of US retailers. The United States is leader in terms of the number of compromised bank cards, accounting for 93 percent of the total number. The United States is followed in this ranking by Middle Eastern countries, namely Kuwait, Pakistan, the UAE and Qatar. Taking into account the growing popularity of the new way to obtain raw card data, Group-IB experts assume that ecommerce websites of both developed and developing countries should be aware of this threat and take measures to neutralize the possibility of becoming a victim of JS-sniffers. Group-IB experts recommend that users should have a separate pre-paid card for online payments or even a separate bank account exclusively for online purchases. The admins of eCommerce websites, in their turn, need to keep their software updated, carry out regular cybersecurity assessments of their websites and not hesitate to seek assistance from cybersecurity specialists whenever needed.

About Group-IB

Group-IB, with its headquarters in Singapore, is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property. The company’s Threat Intelligence and Research Centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), and Europe (Amsterdam).

Group-IB’s Unified Risk Platform is an ecosystem of solutions that understands each organization’s threat profile and tailors defenses against them in real-time from a single interface. The Unified Risk Platform provides complete coverage of the cyber response chain. Group-IB’s products and services consolidated in Group-IB’s Unified Risk Platform include Group-IB’s Threat IntelligenceManaged XDRDigital Risk ProtectionFraud ProtectionAttack Surface ManagementBusiness Email ProtectionAudit & ConsultingEducation & TrainingDigital Forensics & Incident ResponseManaged Detection & Response, and Cyber Investigations.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 19 years of hands-on experience in cybercrime investigations worldwide and more than 70,000 hours of cybersecurity incident response accumulated in our leading DFIR Laboratory, High-Tech Crime Investigations Department, and round-the-clock CERT-GIB.

Group-IB is an active partner in global investigations led by international law enforcement organizations such as Europol and INTERPOL. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to protect its clients in cyberspace every day by creating and leveraging innovative solutions and services.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.