Breach alert in South Korea after 1m card details were put up for sale online

Source of the card records remains a mystery. Could be a bank, a restaurant chain, a PoS provider.

South Korea card dump spike

Volume of South Korean-issued records added to the dark web

Image: Gemini Advisory

Authorities and companies in South Korea should be scrambling by now to track down a major card breach after the details of more than one million payment cards have been put up for sale online over the past two months.

Details for 890,000 and 230,000 payment cards were put up for sale on a hacking forum in July and June, respectively, cyber-security researchers from Gemini Advisory have told ZDNet today.

Source of the breach unidentified

The source of these payment card details has not yet been identified, researchers said. Based on the fact that the card records only contained CP (Card Present) details, this automatically rules out web-based skimmers (Magecart scripts) installed on online stores.

Possible sources of where crooks may have obtained the card records include (1) malware installed on Point-of-Sale (PoS) systems at stores or restaurants; (2) a breach at a bank, payment provider, or PoS company; or (3) card skimmer devices installed on ATMs or PoS terminals.

However, because EMV cards are widely adopted in South Korea, the third source seems very unlikely.

Cards from South Korea and APAC countries are in high-demand

The Gemini team also points out that there was a high demand for South Korean card data on cybercrime forums before this recent dump, which might have triggered cybercrime groups going after South Korean targets, and indirectly causing the current breach.

This high demand also explains why crooks are selling this payment card dump at a higher price than before.

"The median price per record from this spike is $40 USD, which is significantly higher than the median price of South Korean CP records across the dark web overall, which is approximately $24 USD," Gemini researchers said in a report published today and shared with ZDNet. "This sudden influx in card supply may be highly priced in an attempt to capitalize on the growing demand."

South Korean card details

Image:Gemini Advisory (supplied)

In an email to ZDNet, Christopher Thomas, a security researcher with Gemini Advisory, explained why cybercriminal groups have been recently focusing on South Korea, and the Asia-Pacific region as a whole, in recent years.

"The demand for payment card data issued by the APAC banks has always been high," Thomas told ZDNet. "Since many of these financial institutions have less sophisticated antifraud systems than their Western counterparts, cybercriminals learned that the return on investment for APAC cards is much higher when compared to North American cards.

"Disturbingly enough, it appears that hackers have learned that South Korean payment infrastructure is especially vulnerable to attacks, which resulted in the massive breach that is currently unfolding," Thomas added.

Source of the breach won't stay a mystery for long

This entire case is similar to a report from February, this year, when security researchers found card records for 2.15 million US citizens on an underground carding forum.

A month later, that card dump was linked to a breach at Earl Enterprises, a US company that owns several restaurant chains such as Planet Hollywood and Earl of Sandwich, which admitted to hackers breaching its IT network and planting PoS malware at various restaurants.

For now, the mystery of where these South Korean card details came from remains unsolved. However, this won't remain a mystery for longer.

As card-cloning groups start buying and using the cards, owners will start reporting fraudulent activity, and authorities will eventually track down the common payment handler in all of the victims' reports.

Related malware and cybercrime coverage: