Stolen Cards, Reportedly From Cardpool.com, Sold on DarknetGemini Advisory Says Russian Cybercriminal Sold Gift Card, Payment Card Data
A Russian-speaking cybercriminal recently sold on a darknet forum thousands of stolen payment and gift cards that researchers at Gemini Advisory believe were taken from the now-defunct online gift card exchange Cardpool.com.
In a report released Tuesday, the threat intelligence firm says the cybercriminal listed 895,000 stolen gift cards and 330,000 stolen payment cards for sale in February on a Russian cybercrime forum. The stolen gift cards, which have an estimated face value of $38 million, were issued by more than 3,000 companies, including Airbnb, Amazon, American Airlines, Chipotle, Dunkin', Home Depot, Marriott and Nike, the research report says.
Once the database with 895,000 gift cards was quickly sold, the cybercriminal then posted for sale data on 330,000 credit and debit cards, which included the victims’ billing addresses, payment card numbers, expiration dates and bank names, but did not include the CVV or cardholder name, Gemini Advisory reports.
Based on its analysis of the payment and gift card data, Gemini Advisory says all the data likely was obtained in a breach of the Cardpool.com website, which the attacker may have targeted between Feb. 4 and Aug. 4, 2019.
San Francisco-based Cardpool was a gift card exchange service that enabled individuals to buy, sell and trade their gift cards. Cardpool shut down its operation in February, citing pandemic-related operational difficulties. "We do not know if Cardpool suspected that it had been breached or if that was the cause for the company closing down," says Christopher J.S. Thomas, an intelligence product analyst with Gemini Advisory.
Prior to its closure, Cardpool had 300,000 monthly visitors, 85% of whom were located in the U.S, according to the Gemini Advisory report.
Because the payment card data offered for sale by the cybercriminal did not contain CVVs, Gemini Advisory says Cardpool may have been breached by accessing the website's back end. That's because if a hacker had accessed the card data by injecting a payment card skimmer onto the site, the data would have contained CVV and cardholder names.
"Attackers can acquire back-end access to online shops through a variety of methods, including exploiting vulnerabilities in sites’ content management systems and brute-forcing admin login credentials," according to the research report.
The seller of the stolen card data, which Gemini Advisory did not identify, is a prolific Russian-speaking hacker who has posted similar offerings in the past, the researchers say.
The seller auctioned the Cardpool gift cards database at a starting price of $10,000 and a buy-now price of $20,000; the database was purchased shortly after posting, the researchers say.
The hacker began the bidding for the payment card database later the same day at $5,000 and issued a buy-now price of $15,000. That database sold within days, according to the Gemini Advisory report.
Earlier, the same seller had offered for sale other stolen payment card data, compromised databases and the personally identifiable information of victims in the U.S., the researchers say.
Why Gift Cards Are Valuable
The stolen payment card data was offered for sale at a lower price than the stolen gift cards "likely because of the lack of CVV data or cardholder name included with each card, and the fact that the breach occurred in 2019," Thomas notes. "Both factors lower the likelihood that a fraudster can successfully conduct transactions with a card."
Typically, payment card data collected through card-not-present attacks, which contains the CVV, is sold at a median price of $12 on the dark web, Gemini Advisory notes. If the card does not include the CVV, its price drops to $6.
Another reason gift cards can command a higher price on criminal forums is that they are difficult to trace back to the fraudsters, Gemini Advisory notes.
"With gift cards, cybercriminals basically have two options for monetization: purchase goods and resell them or … sell the cards to a third-party gift card marketplace like Cardpool," the report notes. "The big advantage for cybercriminals is that there are far fewer identity verification checks with gift cards; they can simply enter the gift card code online and complete the purchase or walk into a store and swipe the gift card."