• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Taking over millions of developers exploiting an Open VSX Registry flaw

 | 

OneClik APT campaign targets energy sector with stealthy backdoors

 | 

APT42 impersonates cyber professionals to phish Israeli academics and journalists

 | 

Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages

 | 

Cisco fixed critical ISE flaws allowing Root-level remote code execution

 | 

U.S. CISA adds AMI MegaRAC SPx, D-Link DIR-859 routers, and Fortinet FortiOS flaws to its Known Exploited Vulnerabilities catalog

 | 

CitrixBleed 2: The nightmare that echoes the 'CitrixBleed' flaw in Citrix NetScaler devices

 | 

Hackers deploy fake SonicWall VPN App to steal corporate credentials

 | 

Mainline Health Systems data breach impacted over 100,000 individuals

 | 

Disrupting the operations of cryptocurrency mining botnets

 | 

Prometei botnet activity has surged since March 2025

 | 

The U.S. House banned WhatsApp on government devices due to security concerns

 | 

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 

McLaren Health Care data breach impacted over 743,000 people

 | 

American steel giant Nucor confirms data breach in May attack

 | 

The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

 | 

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 50

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • South Korean and US payment card details worth nearly $2M up for sale in the underground

South Korean and US payment card details worth nearly $2M up for sale in the underground

Pierluigi Paganini April 24, 2020

Group-IB experts discovere a dump containing details for nearly 400,000 payment card records uploaded to a popular darknet cardshop on April 9.

Singapore, 24/04/2020 – Group-IB, a Singapore-based cybersecurity company, has detected a dump containing details for nearly 400,000 payment card records uploaded to a popular darknet cardshop on April 9.

The database was comprised almost entirely of the payment records related to banks and financial organizations in South Korea and the US. It should be noted that it is the biggest sale of South Korean records on the dark web in 2020, which contributes to the growing popularity of APAC-issued card dumps in the underground.

The provenance of this data remains unknown. Group-IB has informed proper authorities in South Korea and the US so they could take necessary steps, and continues to work closely with its partners in these countries to mitigate the impact of an incident.

During cardshop monitoring Group-IB Threat Intelligence system has detected a database under the name “SCARFACE-DISCOUNT-SALE-5USD (fresh skimmeD): USA (STATES MIX + few EU) TR1 + TR2/TR2, VALID 30-40%, uploaded 2020-04-09 (NON-REFUNDABLE BASE)” released and put up for sale on April 9. Joker’s Stash – the infamous underground marketplace – put a USD 1,985,835 price tag on the set, at USD 5 apiece, and announced that dump had 30-40% valid rate.

Fig. 1 – Advertisement for new base on Joker’s Stash

The total number of records exposed is 397,365. Even though the database name didn’t include a single mention of South Korea, South-Korean card details made up the majority in the newly released batch – roughly 49.9% (198,233 items valued at USD 991,165.) were from the South Korea’s banks and financial organizations. 49,3% were related to US banks and financial organizations. While American card dumps have traditionally been most commonly traded in the dark web, the South Korean payment card details are a very rare commodity in the underground. The newly released database marks the biggest sale for South Korean card dumps in 2020, the latest massive upload of credit and debit card details from this country occurred more than 8 months ago.

Fig. 2 – Sale of South Korean-issued card dumps in the underground

Group-IB found out that over the past few years APAC-issued card dumps have been offered for sale increasingly often and starting from 2019 became the second most popular target in the underground by the number of massive abnormal spikes in their sales, surpassed only by US-issued dumps – all-time “champion” on this market. The growing supply of APAC-issued cards dumps pressures the prices down making them more available. In recent years, Group-IB reported on a number of instances originating from APAC, such as the sale of the record-breaking database holding more than 1.3 million credit and debit card dumps of mainly Indian banks’ customers in October 2019. Pakistan-issued dumps have been also traded in large volumes in February 2019 and  November 2018. Remarkably, card dumps do not necessarily get compromised in a card-issuing country, the data can be snatched when a card owner travels overseas to a country where advanced payment security measures, such as EMV, are not widely implemented, and uses an infected Point-of-Sale (POS) terminal.

The database of the credit and debit card details mainly contains Track 2 information – the data stored on the magnetic stripe of a card, which includes the bank identification number (BIN), the account number, expiration date and may also include the card verification value (CVV). The Track 2 data (also referred as card dumps) is used for card present transactions and usually comes from infected POS terminal, from ATM skimmers or breached merchant’s payment system. However, in this case the source of the stolen data remains unknown.

A screenshot of a cell phone

Description automatically generated

Fig. 3 – Payment card details released on April 9

Group-IB has already provided the information about the incident to the national CERTs and financial sharing organizations in the US and South Korea so they could take all necessary steps to mitigate the risks, and continues outreach to the affected parties through its partners in South Korea and the US.

“Even though there is not enough information in this dump to make online purchases, fraudsters who buy this data can still cash out stolen records,” says Shawn Tay, senior threat intelligence analyst at Group-IB. “If a breach is not detected promptly by the card-issuing authority, crooks usually produce cloned cards (“white plastic”) and swiftly withdraw money via ATMs or use cloned cards for illicit in-person purchases. Constant underground monitoring for compromised personal and payment records of their customers gives banks and financial organizations the ability to mitigate risks and further damage by quickly blocking stolen cards and track down the source of the breach.”

About the author Group-IB:

Group-IB is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks, online fraud, IP protection and high-profile cyber investigations.

Due to the ongoing pandemic, Group-IB has set up the StayCyberSafe portal with recommendations for organizing comfortable and cybersafe remote work and webinars about modern cyberthreats and the ways to confront them.

Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
https://docs.google.com/forms/d/e/1FAIpQLSe8AkYMfAAwJ4JZzYRm8GfsJCDON8q83C9_wu5u10sNAt_CcA/viewform

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – payment card, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Cybercrime Hacking hacking news information security news it security it security news payment card data Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini June 27, 2025
Taking over millions of developers exploiting an Open VSX Registry flaw
Read more
Pierluigi Paganini June 27, 2025
OneClik APT campaign targets energy sector with stealthy backdoors
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Taking over millions of developers exploiting an Open VSX Registry flaw

    Hacking / June 27, 2025

    OneClik APT campaign targets energy sector with stealthy backdoors

    Hacking / June 27, 2025

    APT42 impersonates cyber professionals to phish Israeli academics and journalists

    APT / June 27, 2025

    Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages

    Cyber Crime / June 26, 2025

    Cisco fixed critical ISE flaws allowing Root-level remote code execution

    Security / June 26, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT