A crook has sold 895,000 gift cards and over 300,000 payment cards, for a total of US$38 million, on a top-tier Russian-language hacking forum on the dark web. The criminal actor was spotted offering a huge amount of cards in February 2021. According to the experts from fraud intelligence firm Gemini Advisory, threat actors have obtained the cards by compromising the back-end of the online discount gift card shop Cardpool.com.
“Gemini assesses with moderate confidence that the breach of Cardpool.com was also the source of the stolen gift cards.” reads the post published by Gemini Advisory. “The breach of Cardpool.com provides valuable insight into both how cybercriminals value different types of stolen cards and also shows how cybercriminals use sites like Cardpool.com to monetize cards once they are stolen.”
The criminal actor claimed that the database contained over 3,000 brand-name gift cards from top companies across various industries, including AirBnB, Amazon, American Airlines, Chipotle, Dunkin Donuts, Marriott, Nike, Subway, Target, and Walmart. The seller set up an auction with a starting price of $10,000 and a buy-now price of $20,000. Experts from Gemini Advisory revealed that gift cards were bought by another actor soon after they were available for sale.
A day later, the same actor offered for sale another collection of 330,000 credit and debit cards on the same forum. The data included victims’ billing address and partial payment card data, including payment card number, expiration date, and bank name, but did not include the CVV or cardholder name. The actor set up an auction with a starting price of $5,000 for the entire DB and issued a buy-now price of $15,000. The payment cards were sold out in a few days.
Experts pointed out that cybercriminals could easily monetize stolen gift cards by purchasing goods and reselling them or, selling the cards to a third-party gift card marketplace like Cardpool. Unlike payment cars, gift cards are subjected to fewer identity verification checks.
“Typically, compromised gift cards sell for 10% of the card value in the dark web; however, the 895,000 cards offered from the breach were priced at roughly 0.05% of the card value. First off, it’s entirely possible that the actor exaggerated the total value of the gift cards to drum up sales, but the main factor dampening their price was the low validity rate, which refers to if the cards are active and can be used for nefarious purposes.” continues the post. “Even though there were nearly one million cards, the price included the assumption that a significant portion would be invalid or have a low balance (possibly because even the actor themself used some of the cards before selling them).”
The investigation of the cybercriminal actor selling the gift cards and payment cards revealed that he is a prolific Russian-speaking hacker who was engaged in similar activities since 2010. The actor has offered in the past large lots of stolen payment card data, compromised databases, and the personally identifiable information (PII) of United States residents.
While unnamed, the hacker behind the breach is a known entity that has been active since 2010 and has been observed to offer payment card data, compromised databases, and the personally identifiable data of US residents.
“the subsequent sale of the cards in the dark web provides insight into how cybercriminals value different types of cards and the specific sorts of data that fetch a higher price on criminal forums and marketplaces. Thirdly, the site was also a tool that cybercriminals leveraged to monetize stolen cards, regardless of whether they compromised the cards themselves or purchased them on dark web marketplaces.” concludes the post.” conclude the experts. “This third insight, in particular, casts light on the important fact that for most cybercriminals, the trick is not in acquiring stolen cards but in devising the most efficient way to cash out the funds on the cards before financial institutions can flag them as compromised.”
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, dark web)
[adrotate banner=”5″]
[adrotate banner=”13″]