Menu

29 November 2019

Keep calm and save your data: Group-IB analyzed threats to banking customers

Group-IB, a Singapore-based company that specializes in preventing cyberattacks, today presented its annual «Hi-Tech Crime Trends 2019-2020» report, highlighting the main trends of cybercriminal world, as part of international conference CyberCrimeCon’2019 in Singapore. Group-IB researchers have analyzed underground cardshops selling compromised card data and identified several key trends related to attacks on banking customers. Complex banking Trojans have given way to a new threat — JavaScript sniffers, which have greatly contributed to the fact that in 2019, carding became the fastest-growing segment among threats to banking customers.

 

General trends of the carding market

Group-IB’s report covers the period from H2 2018 to H1 2019 and compares it to H2 2017 — H1 2018. By leveraging its own infrastructure for monitoring of underground forums and cardshops, Group-IB has collected comprehensive information about the carding market and is capable of identifying various anomalies. Over the review period, the number of compromised cards uploaded to underground forums increased from 27.1 million to 43.8 million. The size of the carding market, in turn, grew by 33 percent and amounted to USD 879.7 million. The average price for raw card data also known as CVVs (card number, expiration date, cardholder name, CVV) rose from USD 9 to USD 14, while the average price for a dump (the information contained in the magnetic stripe) fell from USD 33 to USD 22.

Compromised card data related to US banks turned out to be most widespread and therefore the cheapest on the market, with the price for up-to-date raw card data of such cards ranging between USD 8 and USD 10 and the price for dumps costing between USD 16 and USD 24. Meanwhile, an average price for raw card data belonging to the customers of European banks is much higher and totals USD 18-21, while the price for relevant dumps ranges between USD 100 and 120. The compromised card data of APAC banks’ customers also falls within high price category, with raw card data costing USD 17-20 per card and dumps — USD 80-124, because they are less often offered for sale on underground forums.

Dumps still account for 80 percent of the carding market, with at least 31.2 million of dumps having been put up for sale in the corresponding period, which is a 46-percent growth year-on-year. The major method to compromise the magnetic stripe card data (dumps) was infecting computers connected to POS (point of sale) terminals with Trojans that collect payment card data from RAM (random access memory). Over the given period, four new POS Trojans have been identified, which had been actively used in attacks but remained unnoticed.

The sale of raw card data is also on rise today, having increased by 19 percent in the corresponding period, one of the key reasons behind this trend could be JavaScript-sniffers (JS-sniffers), which is a type of malware designed to steal customer payment data from online stores: payment card numbers, cardholder names, addresses, user credentials etc. The compromised payment card data is either being put up for sale on underground cardshops or used by cybercriminals to purchase valuable items. In 2019 alone, Group-IB experts identified at least 38 different families of JS-sniffers, with this number continuously growing and already exceeding the number of banking Trojans for PC and Android.

 

JS-sniffers: new trend behind the growth of the carding market

The United States ranks first in terms of the number of cards compromised as a result of the activity of JS-sniffers, followed by the United Kingdom. The UK ranking second is mainly due to a British Airways data breach in late 2018, during which its website was infected with a JS-sniffer. As a result, the data of over 300,000 customers was compromised, and a fine of USD 229 million was then imposed on the airline due to the breach.

JS-sniffers represent a threat to other countries as well, especially to those where the 3D Secure protocol is not widely implemented. Most JS-sniffer families are designed to steal information from the payment forms from the websites running on specific CMS (content management systems), however there are also universal ones — they can steal information from payment forms and do not require modifications tailored to specific websites. MagentoName and CoffeMokko families of JS-sniffers, both of which were involved in massive infection campaigns, are thought to be the most aggressive, with over 440,000 people visiting the websites infected with these JS sniffers every day. The JS-sniffer family that comes third in this ranking is WebRank, which infected website that together attracted 250,000 visitors. The analysis of attacks on APAC online shoppers indicates that there are at least 11 families of JS-sniffers that are used to infect websites in the region: MagentoName, Inter, addtoev Group, Qoogle, Illum, CoffeMokko, EUTag, WebRank, ImageID, TokenLogin и OnlineStatus.

Using its own tools for underground forums and cardshops monitoring, Group-IB discovered that the biggest leaks of bank card data are related to the compromise of US retailers. The United States is leader in terms of the number of compromised bank cards, accounting for 93 percent of the total number. The United States is followed in this ranking by Middle Eastern countries, namely Kuwait, Pakistan, the UAE and Qatar. Taking into account the growing popularity of the new way to obtain raw card data, Group-IB experts assume that ecommerce websites of both developed and developing countries should be aware of this threat and take measures to neutralize the possibility of becoming a victim of JS-sniffers. Group-IB experts recommend that users should have a separate pre-paid card for online payments or even a separate bank account exclusively for online purchases. The admins of eCommerce websites, in their turn, need to keep their software updated, carry out regular cybersecurity assessments of their websites and not hesitate to seek assistance from cybersecurity specialists whenever needed.

Group-IB is one of the leading providers of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection. Group-IB Threat Intelligence system was named one of the best in class by Gartner, Forrester, and IDC.

Group-IB’s technological leadership is built on company’s 16 years of experience in cybercrime investigations all over the world and 55 000 hours of incident response accumulated in the largest forensic laboratory in Eastern Europe and a 24/7 CERT-GIB.

Group-IB is a partner of INTERPOL, Europol, and a cybersecurity solutions provider, recommended by SWIFT and OSCE. Group-IB is a member of the World Economic Forum.

Report an incident

24/7 Incident Response Assistance +65 3159-4398

Thank you for the inquiry! We will contact you soon.
Cookies

We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.

 
Report an incident