General trends of the carding market
Group-IB’s report covers the period from H2 2018 to H1 2019 and compares it to H2 2017 — H1 2018. By leveraging its own infrastructure for monitoring of underground forums and cardshops, Group-IB has collected comprehensive information about the carding market and is capable of identifying various anomalies. Over the review period, the number of compromised cards uploaded to underground forums increased from 27.1 million to 43.8 million. The size of the carding market, in turn, grew by 33 percent and amounted to USD 879.7 million. The average price for raw card data also known as CVVs (card number, expiration date, cardholder name, CVV) rose from USD 9 to USD 14, while the average price for a dump (the information contained in the magnetic stripe) fell from USD 33 to USD 22.
Compromised card data related to US banks turned out to be most widespread and therefore the cheapest on the market, with the price for up-to-date raw card data of such cards ranging between USD 8 and USD 10 and the price for dumps costing between USD 16 and USD 24. Meanwhile, an average price for raw card data belonging to the customers of European banks is much higher and totals USD 18-21, while the price for relevant dumps ranges between USD 100 and 120. The compromised card data of APAC banks’ customers also falls within high price category, with raw card data costing USD 17-20 per card and dumps — USD 80-124, because they are less often offered for sale on underground forums.
Dumps still account for 80 percent of the carding market, with at least 31.2 million of dumps having been put up for sale in the corresponding period, which is a 46-percent growth year-on-year. The major method to compromise the magnetic stripe card data (dumps) was infecting computers connected to POS (point of sale) terminals with Trojans that collect payment card data from RAM (random access memory). Over the given period, four new POS Trojans have been identified, which had been actively used in attacks but remained unnoticed.
JS-sniffers: new trend behind the growth of the carding market
The United States ranks first in terms of the number of cards compromised as a result of the activity of JS-sniffers, followed by the United Kingdom. The UK ranking second is mainly due to a British Airways data breach in late 2018, during which its website was infected with a JS-sniffer. As a result, the data of over 300,000 customers was compromised, and a fine of USD 229 million was then imposed on the airline due to the breach.
JS-sniffers represent a threat to other countries as well, especially to those where the 3D Secure protocol is not widely implemented. Most JS-sniffer families are designed to steal information from the payment forms from the websites running on specific CMS (content management systems), however there are also universal ones — they can steal information from payment forms and do not require modifications tailored to specific websites. MagentoName and CoffeMokko families of JS-sniffers, both of which were involved in massive infection campaigns, are thought to be the most aggressive, with over 440,000 people visiting the websites infected with these JS sniffers every day. The JS-sniffer family that comes third in this ranking is WebRank, which infected website that together attracted 250,000 visitors. The analysis of attacks on APAC online shoppers indicates that there are at least 11 families of JS-sniffers that are used to infect websites in the region: MagentoName, Inter, addtoev Group, Qoogle, Illum, CoffeMokko, EUTag, WebRank, ImageID, TokenLogin и OnlineStatus.
Using its own tools for underground forums and cardshops monitoring, Group-IB discovered that the biggest leaks of bank card data are related to the compromise of US retailers. The United States is leader in terms of the number of compromised bank cards, accounting for 93 percent of the total number. The United States is followed in this ranking by Middle Eastern countries, namely Kuwait, Pakistan, the UAE and Qatar. Taking into account the growing popularity of the new way to obtain raw card data, Group-IB experts assume that ecommerce websites of both developed and developing countries should be aware of this threat and take measures to neutralize the possibility of becoming a victim of JS-sniffers. Group-IB experts recommend that users should have a separate pre-paid card for online payments or even a separate bank account exclusively for online purchases. The admins of eCommerce websites, in their turn, need to keep their software updated, carry out regular cybersecurity assessments of their websites and not hesitate to seek assistance from cybersecurity specialists whenever needed.