Data on 400,000 SKorean, US payment cards on sale at dark web

A dump containing details for nearly 400,000 payment card records uploaded to a popular darknet cardshop on April 9, according to Singapore-based cybersecurity firm Group-IB which detected the event.

The database was comprised almost entirely of the payment records related to banks and financial organisations in the United States and South Korea, contributing to the growing popularity of Asia Pacific-issued card dumps in the underground.

Group-IB has informed proper authorities in South Korea and the US so they could take necessary steps, and continues to work closely with its partners in these countries to mitigate the impact of an incident. 

Joker’s Stash – the infamous underground marketplace – put a US$1,985,835 price tag on the set — $5 apiece — and announced that dump had 30%-40% valid rate. The total number of records exposed is 397,365.

Although the database didn’t mention South Korea, South-Korean card details made up the about half (49.9%) of the newly released batch — 198,233 items valued at $991,165 — which is more than the items related to US banks.

While American card dumps have traditionally been most commonly traded in the dark web, the South Korean payment card details are a very rare commodity in the underground.

According to Group-IB, card dumps do not necessarily get compromised in a card-issuing country. The data can be snatched when a card owner travels overseas to a country where advanced payment security measures, such as EMV, are not widely implemented, and uses an infected Point-of-Sale (POS) terminal. 

The database of the credit and debit card details mainly contains Track 2 information — the data stored on the magnetic stripe of a card, which includes the bank identification number (BIN), the account number, expiration date and may also include the card verification value (CVV).

The Track 2 data (also referred to as card dumps) is used for card-present transactions and usually comes from infected POS terminal, from ATM skimmers or breached merchant’s payment system. However, in this case, the source of the stolen data remains unknown. 

“Even though there is not enough information in this dump to make online purchases, fraudsters who buy this data can still cash out stolen records,” said Shawn Tay, senior threat intelligence analyst at Group-IB.

“If a breach is not detected promptly by the card-issuing authority, crooks usually produce cloned cards (“white plastic”) and swiftly withdraw money via ATMs or use cloned cards for illicit in-person purchases,” said Tay.