Credit, debit card data of half a million Indians up for sale on dark web

Credit and debit card details of nearly half a million Indians have been put up for sale on an underground website that is a popular resource for financial fraud, according to cybersecurity researchers who say the leak is the most serious in at least the last 12 months.

The data, put up for sale on Joker’s Stash, includes sensitive level of detail – expiration dates, CVV/CVC codes, cardholders’ names, and even email addresses in some cases – in addition to the 14-16 digit card numbers, according to Group IB, a Singapore-based cybersecurity firm.

These can together be used for carrying out financial transactions online without the need for any other method of authentication.

“This is the second major leak of cards relating to Indian banks detected by Group-IB threat intelligence team in the past several months... In the current case, we are dealing with so-called fullz — they have info on card number, expiration date, CVV/CVC, cardholder name as well as some extra personal info,” said Dmitry Shestakov, the head of Group-IB сybercrime research unit, in an email to HT.

Each of the 461,976 cards’ details was being sold for $9, bringing the total value of the data leak at $4.2 million. “Such type of data is likely to have been compromised online,” he added.

According to the Reserve Bank of India’s 2018-19 annual report, there were 1,866 instances of frauds through cards and internet banking. An average of ₹20 lakh was stolen per fraud, the RBI’s data said.

Indian cybersecurity officials have alerted the Reserve Bank of India (RBI) and all Indian banks that such data was being sold on the dark web, a senior official in a department handling cybersecurity said, asking not to be named. “We do not know how many of these cards are active,” the official said, adding that many could be old or inactive cards.

“Once RBI and banks inform us of the nature of the data being sold, investigations on how the information was accessed can be more targeted and specific,” a second senior official, also in a cybersecurity department, said.

Group IB found a similar card data dump in October, but, the organisation’s representatives added, that information was limited to data contained in a card’s magnetic strip. Usually, most payment gateways across the world require additional details such as CVV and expiration dates to authenticate a transaction – information that may not have been available in the leak reported in October. The first included a much larger number of cards (1.3 million), but the listing was soon taken offline.

“As of Friday evening, 407 card details had been bought by someone,” Shestakov said, referring to the new data leak. “The data contained in the current database enables fraudsters to make any purchases online. In a basic scenario, criminals purchase luxury goods and then resell them,” he explained.

How this data was stolen or who was behind it was not immediately clear, but it appears to have been done by hackers who deployed tactics such as phishing, implanting malware or compromising e-commerce website with “sniffers” that can capture a customer’s payment details.

“We have shared all the information discovered with our colleagues from CERT-In,” Shestakov added, referring to India’s Computer Emergency Response Team.

Transactions that are routed through Indian payment gateways mandatorily require a second layer of authentication – usually a password set by a cardholder or through a one-time password (OTP) sent to the person’s mobile phone or email address.

This layer of protection is not mandatory for payment gateways outside of the country, for which the card number, the CVV number and expiration date is often adequate for a transaction.

According to Group IB’s Hi-Tech Crime Trends 2019-2020 report analysing card data leaks between October, 2018 to September-end, 2019, and October 2017-September-end 2018, the number of compromised cards uploaded to underground forums increased from 27.1 million to 43.8 million. The size of the carding market, in turn, grew by 33% and amounted to $879.7 million in total.

Compromised card data related to US banks has turned out to be most widespread and therefore the cheapest on the market, the report added.

Websites such as Joker’s Stash exist in what is known as the dark web -- a part of the internet not indexed by search engines such as Google. Websites in dark web often rely on special networks such as Tor to anonymise their server addresses, making them untraceable.

(With inputs from Sudhi Ranjan Sen in New Delhi)