Account Takeover , Cybercrime , Cybercrime as-a-service

Joker's Stash Celebrates Turkey Day With Stolen Card Data

Fraudsters Invited to Dine Out on 460,000 Stolen Turkish Payment Cards
Joker's Stash Celebrates Turkey Day With Stolen Card Data
Source: Group-IB

The notorious Joker's Stash marketplace for fraudsters has recently listed a large trove of personally identifiable information for sale, featuring a massive quantity of stolen payment cards issued by Turkish banks.

See Also: How To Cut Through The Web Of Insurance Fraud

So warns Singapore-based cybersecurity firm Group-IB, which says Joker's Stash, a popular cybercrime "carder" shop that sells PII and stolen credit and debit card data, listed more than 460,000 such records from Oct. 28 to Nov. 27.

The stolen payment data predominantly traces to Turkey's 10 largest banks, Group-IB says. "Cards from Turkey are very rare on the card shops; in the past 12 months this is the only big sale of payment cards related to Turkish banks," the company says. In its entirety, the data is retailing for about $500,000, the security firm says, noting that the data appears to be brand new.

The compromised data appeared on Joker's Stash in four batches:

  • "Turkey-Mix-01 (Fresh Sniffed CVV)": Posted on Oct. 28, listed 60,000 cards for $3 each;
  • "Turkey-Mix-02 (Fresh Sniffed CVV): Posted on Oct. 28, listed 60,000 cards for $3 each;
  • "Turkey-Mix-03-Special-Price-1USD (Fresh Sniffed CVV): Posted on Nov. 27, listed 190,000 cards for $1 each, promising a validity of 85 to 90 percent, adding "time for refunds: 15 minutes";
  • "Turkey-Mix-04-Special-Price-1USD (Fresh Sniffed CVV): Posted on Nov. 27, listed 205,000 cards for $1 each, promising a validity of 85 to 90 percent, adding "time for refunds: 15 minutes."

It's not clear what mechanism was used to amass the stolen card data. "A breakdown of the data indicated that all the cards could have likely been compromised online either due to phishing, malware or increased activity of JavaScript sniffers," says Dmitry Shestakov, head of Group-IBs's cybercrime research unit, in a report.

"All of the compromised credit and debit card records in this database were identified as raw card data also known as 'CCs' or 'fullz' and contained the following information: card number, expiration date, CVV/CVC, cardholder name as well as some additional information such as email, name and phone number," Shestakov says.

Excerpt from the first batch of stolen Turkish payment card data being sold on Joker's Stash (Source: Group-IB)

Those latter details, of course, aren't encoded on the magnetic stripe of a credit or debit card, meaning that the details wouldn't have been amassed via compromising physical card readers used at point-of-sale terminals in brick-and-mortar establishments.

So the heist looks to have been the work of attackers operating online, against e-commerce sites - potentially - or perhaps a gang that hacked into customer databases.

Excerpt from the second batch of stolen Turkish payment card data being sold on Joker's Stash (Source: Group-IB)

"Upon identification of this information, Group-IB team has immediately alerted relevant Turkish local authorities about the sale of the payment records, so they could take appropriate measures and mitigate the risks," Shestakov says. "The source of this data compromise remains unknown."

Potential Culprit: Magecart

One likely culprit for the tactic used to amass the payment card data would have been Magecart gangs. Magecart is an umbrella term used to describe the tools and tactics used by multiple groups of attackers, to tamper with online systems and steal payment card data

Magecart attacks against content management and e-commerce systems continue to escalate. In May, the security vendor RiskIQ wrote that it had detected "some of the most significant Magecart attacks ever carried out." Online shops running e-commerce platforms - including Magento - remain a prime target for groups running web-skimming attacks, says Yonathan Klijnsma, a RiskIQ threat researcher (see: Magento Marketplace Suffers Data Breach, Adobe Warns).

Such attacks, which are sometimes referred to as digital skimming, typically involve exploiting vulnerabilities or outdated software to install malicious code that collects payment card details and sends them to a remote server, for later retrieval by attackers.

"Vendors need to make sure they are protecting their websites and web apps - especially when they are collecting personally identifiable information or financial information from customers," Aaron Lint, chief scientist and vice president of research at Arxan, has told Information Security Media Group (see: Magecart Group Continues Targeting E-Commerce Sites).

Card Sales Surge

Security experts say one reason for the escalation in Magecart-style attacks is simple: They're working. For cybercriminals, time is money, and any tools or tactics that bring them a payday, more quickly, have always been prized.

Carder market sales continue to be strong as fraudsters purchase stolen card data en masse. Comparing the 12-month period starting July 1, 2017, to the 12 months starting July 1, 2018, the carding market grew by 33 percent, reaching an estimated $880 million in sales, according to Group-IB's Hi-Tech Crime Trends 2019/2020 threat report.

"The sale of raw card data, exactly the same type of payment records offered in this case with Turkey - expiration date, CVV/CVC, cardholder name - is also on rise today, having increased by 19 percent in the corresponding period," Group-IB says.

JavaScript sniffers, aka JS-sniffers, are a likely reason for this rise, the security firm says, noting that so far in 2019, it's been tracking at least 38 different families of JavaScript sniffers, and that the number continues to grow.

While many Magecart groups make use of JavaScript sniffers, so do other gangs.

"Most JS-sniffer families are designed to steal information from the payment forms from the websites running on a specific CMS. However, there are also universal ones - they can steal information from payment forms and do not require modifications tailored to specific websites," Group-IB says.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.