According to Group-IB, the cybersecurity firm that found the listing, the data haul represents around $130 million given that each card record is being offered for $100. Joker’s Stash is advertising it under the “INDIA-MIX-NEW-01” heading.
Where the card data came from is unclear – Group-IB said in a media report that it was likely skimmed from compromised point-of-sale systems or ATMs. In its listing, Joker’s Stash said that the stolen info includes both track 1 and track 2 data that’s included on a card’s magnetic strip (name, card number, expiry and potentially the CVV, plus addresses and other discretionary information used by the bank for fraud protection purposes).
Anyone purchasing the information can create cloned cards to physically use at ATMs or at in-store machines that aren’t chip-enabled; or, they can simply use the information to buy things online.
The listing says the card data is 90 to 95 percent valid – and Group-IB said that researchers independently verified the information as consisting of real card details. About 18 percent of the records come from one particular Indian bank. Most (98 percent) of the cards are Indian but about 1 percent are from Columbian banks, according to the firm.
The fact that all of the records were put up for sale at once is unusual, according to Ilya Sachkov, CEO and founder of Group-IB. Typically, card data dumps are rationed out to avoid attracting notice from white-hats. The decision to provide the data trove en masse indicates that the purveyors are looking to monetize the cards quickly before consumers report them as compromised and banks start canceling them.
“This is indeed the biggest card database encapsulated in a single file ever uploaded on underground markets at once,” Sachkov told BankInfoSecurity. “What is also interesting about this particular case is that the database that went on sale hadn’t been promoted prior either in the news, on card shop or even on forums on the Dark Net. The cards from this region are very rare in underground markets. In the past 12 months, it is the only big sale of card dumps related to Indian banks.”
Joker’s Stash “poses an evolving and enduring threat to consumers and retailers affected by fraudsters populating the market,” according to research last week from Recorded Future. Its infrastructure consists of more than 500 domains and 54 servers; these are typically spun up and used for surges in available data to provide better support to clients that buy in bulk.
“Recorded Future assesses with high confidence that Joker’s Stash will remain a popular marketplace for threat actors to advertise and sell compromised credit cards, as spikes in marketplace activities have coincided with major breaches,” the firm noted.