24 April 2020

South Korean and US payment card details worth nearly $2M up for sale in the underground

Group-IB, a Singapore-based cybersecurity company, has detected a dump containing details for nearly 400,000 payment card records uploaded to a popular darknet cardshop on April 9. The database was comprised almost entirely of the payment records related to banks and financial organizations in South Korea and the US. It should be noted that it is the biggest sale of South Korean records on the dark web in 2020, which contributes to the growing popularity of APAC-issued card dumps in the underground. The provenance of this data remains unknown. Group-IB has informed proper authorities in South Korea and the US so they could take necessary steps, and continues to work closely with its partners in these countries to mitigate the impact of an incident.

During cardshop monitoring Group-IB Threat Intelligence system has detected a database under the name «SCARFACE-DISCOUNT-SALE-5USD (fresh skimmeD): USA (STATES MIX + few EU) TR1 + TR2/TR2, VALID 30-40%, uploaded 2020-04-09 (NON-REFUNDABLE BASE)» released and put up for sale on April 9. Joker’s Stash — the infamous underground marketplace — put a USD 1,985,835 price tag on the set, at USD 5 apiece, and announced that dump had 30-40% valid rate.

Fig. 1 — Advertisement for new base on Joker’s Stash

Fig. 1 — Advertisement for new base on Joker’s Stash

The total number of records exposed is 397,365. Even though the database name didn’t include a single mention of South Korea, South-Korean card details made up the majority in the newly released batch — roughly 49.9% (198,233 items valued at USD 991,165.) were from the South Korea’s banks and financial organizations. 49,3% were related to US banks and financial organizations. While American card dumps have traditionally been most commonly traded in the dark web, the South Korean payment card details are a very rare commodity in the underground. The newly released database marks the biggest sale for South Korean card dumps in 2020, the latest massive upload of credit and debit card details from this country occurred more than 8 months ago.

Fig. 2 — Sale of South Korean-issued card dumps in the underground

Fig. 2 — Sale of South Korean-issued card dumps in the underground

Group-IB found out that over the past few years APAC-issued card dumps have been offered for sale increasingly often and starting from 2019 became the second most popular target in the underground by the number of massive abnormal spikes in their sales, surpassed only by US-issued dumps — all-time «champion» on this market. The growing supply of APAC-issued cards dumps pressures the prices down making them more available. In recent years, Group-IB reported on a number of instances originating from APAC, such as the sale of the record-breaking database holding more than 1.3 million credit and debit card dumps of mainly Indian banks’ customers in October 2019. Pakistan-issued dumps have been also traded in large volumes in February 2019 and November 2018. Remarkably, card dumps do not necessarily get compromised in a card-issuing country, the data can be snatched when a card owner travels overseas to a country where advanced payment security measures, such as EMV, are not widely implemented, and uses an infected Point-of-Sale (POS) terminal.

The database of the credit and debit card details mainly contains Track 2 information — the data stored on the magnetic stripe of a card, which includes the bank identification number (BIN), the account number, expiration date and may also include the card verification value (CVV). The Track 2 data (also referred as card dumps) is used for card present transactions and usually comes from infected POS terminal, from ATM skimmers or breached merchant’s payment system. However, in this case the source of the stolen data remains unknown.

Fig. 2 Types of information contained in the databaseh

Fig. 3 — Payment card details released on April 9

Group-IB has already provided the information about the incident to the national CERTs and financial sharing organizations in the US and South Korea so they could take all necessary steps to mitigate the risks, and continues outreach to the affected parties through its partners in South Korea and the US.

Even though, there is not enough information in this dump to make online purchases, fraudsters who buy this data can still cash out stolen records. If a breach is not detected promptly by the card-issuing authority, crooks usually produce cloned cards („white plastic“) and swiftly withdraw money via ATMs or use cloned cards for illicit in-person purchases. Constant underground monitoring for compromised personal and payment records of their customers, gives banks and financial organizations the ability to mitigate risks and further damage by quickly blocking stolen cards and track down the source of the breach.

Shawn Tay

Shawn Tay

Senior Threat Intelligence analyst of Group-IB

Group-IB is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigation of high-tech crimes and intellectual property protection, headquartered in Singapore. The company’s threat intelligence and research centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), Europe (Amsterdam), and Russia (Moscow).

Group-IB’s Threat Intelligence & Attribution system has been named one of the best in class by Gartner, Forrester, and IDC. Group-IB’s Threat Hunting Framework (earlier known as TDS) intended for the proactive search and the protection against complex and previously unknown cyberthreats has been recognized as one of the leaders in Network Detection and Response by the leading European analyst agency KuppingerCole Analysts AG, while Group-IB itself has been recognized as a Product Leader and Innovation Leader. Gartner identified Group-IB as a Representative Vendor in Online Fraud Detection for its Fraud Hunting Platform. In addition, Group-IB was granted Frost & Sullivan’s Innovation Excellence award for its Digital Risk Protection (DRP), an Al-driven platform for identifying and mitigating digital risks and counteracting brand impersonation attacks with the company’s patented technologies at its core.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 18 years of hands-on experience in cybercrime investigations worldwide and 70,000 hours of cybersecurity incident response accumulated in our leading forensic laboratory, high-tech crime investigations department, and round-the-clock CERT-GIB. Group-IB is a partner of Europol.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.

Report an incident

Get 24/7 incident response assistance from our global team

APAC: +65 3159-3798
Europe: +31 20 226-90-90
EMA: +971 4 508 1605

Thank you for filling out the form! We will get back to you shortly.

We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.

Report an incident