Credit card details worth nearly $3.5 million put up for sale on hacking forum

Card details of 2.15 million Americans advertised in a separate forum ad.

ATM wiretapping and jackpotting on the rise in the US Drills are the weapon of choice for criminals who spy on your activities at the cash point.

Cyber-criminals have put up for sale three large collections of payment card "dumps" this past month, ZDNet has learned.

"Dumps" is a term used in the cyber-security industry to describe caches of stolen payment card details that are released or put up for sale. Cyber-criminals buy these "dumps" to create cloned cards to later withdraw money from the real owners' bank accounts via mass ATM withdrawals.

All three card dumps were released on Joker's Stash, the most notorious and well-known underground marketplace for selling stolen credit card dumps.

Of the three dumps that ZDNet learned about this week, two contain the card details of Pakistani users. The two weren't extremely large releases, but contained never-before-released, complete, and highly accurate payment card information, making them very valuable for buyers.

According to a non-public report shared with ZDNet by Russian cyber-security firm Group-IB, the two dumps collectively contained the card details of 69,189 Pakistani bank customers.

Group-IB said both dumps were published on the Joker's Stash portal at the end of January, and that 96 percent of all the card details came from one bank --Meezan Bank Ltd.

  • First round of card dumps published on January 24 included 1,535 cards, with 1,457 from Meezan Bank. Advertised solely on Joker's Stash.
  • Second round of card dumps published on January 30 included 67,654 cards, with 96 percent belonging to Meezan Bank customers. Card stash was advertised on Joker's Stash, but also other cards hops, such as Omerta, Crdclub, Enclave, and others.

"Pakistani banks' cards are rarely sold on underground cardshops. This, and the fact that all the cards came on sale with PIN codes explains the high price, which was kept at 50 USD per card, while usually the price per card on dark web forums ranges from 10 to 40 USD," Group-IB said.

This high per-card price tag put the total value of the card dump to a whopping $3.5 million, which will net quite the profit for its sellers.

Pakistan February 2019

Image: Group-IB (provided)
Pakistan January 2019

Image: Group-IB (provided)

This is not the first time that Group-IB has spotted card dumps from Pakistani banks being sold on Joker's Stash and other card shops.

The company's experts saw a cache of 177,878 cards from Pakistani and other international banks last year, on November 13.

Pakistan November 2018

Image: Group-IB (provided)

Those card dumps were published two weeks after Pakistani media reported that hackers breached the IT systems of several local banks --a claim that most banks denied, despite contrary statements from Pakistani law enforcement officials.

With the new dump, rumors are now again swirling that Pakistani banks might have gotten hacked once again, and with 96 percent of all the card details coming from Mazeen Bank, users will be looking at the bank for an explanation.

The bank did not reply to Group-IB experts who reached out to notify it, nor to a request for comment from ZDNet before this article's publication.

But Group-IB wasn't the only threat intel firm that reached out to ZDNet with a scoop about a huge card dump being put up for sale.

This week, Joker's Stash operators also advertised what they called the "DaVinci Breach," a dump containing the card details for over 2.15 million US bank customers from 40 states.

The threat intel company, which did not want its name publicly disclosed, said it was still looking into the breach and the validity of its data, however, all signs point to this being a valid dump --currently of unknown origin.

US February 2019

Image: ZDNet

According to Group-IB, there are various ways in which crooks can abuse the card dumps they buy from card shops such as Joker's Stash.

The easiest way is to create cloned cards using the details of legitimate cards.

"Money mules use these fake cards to either withdraw money from ATMs or buy goods in, which are later resold by fraudsters," Group-IB said.

"Another scheme of cashing out involves the use 'white plastic' dumps (cloned cards) and dummy companies (linked to money mules) with bank accounts and POS terminals," the company said.

The idea is that fraudsters create their own companies, then create cloned cards, and then use the cloned cards to purchase non-existent goods via POS terminals.

Once the money reaches the fake company's bank account, crooks withdraw funds from ATMs without fearing that they might trigger alerts at banks and get caught.

Group-IB says money laundering schemes are usually detected by banks' antifraud systems, but "emerging markets banks frequently do not have adequate anti-fraud controls, making this attack type viable" --hence the reason why most mass ATM withdrawls with cloned cards usually takes places in third-world countries.

Related cybersecurity news coverage: