Joker's Stash Sells Fresh US, South Korean Payment CardsStolen APAC Cards Command Five Times Higher Asking Price Than US Cards, Group-IB Says
The notorious carder marketplace Joker's Stash is advertising a fresh batch of stolen payment card data, this time of cards from South Korea and the United States.
So warns Group-IB, a cybersecurity firm based in Singapore that tracks cybercrime marketplaces that specialize in selling stolen payment card.
On April 9, the carder marketplace began listing a "Scarface-Discount-Sale-5USD (fresh skimmed)" batch of "high validity" data comprised of 397,365 cards issued by banks in the U.S., South Korea as well as a few EU countries. As the name suggests, all of the cards are being sold for $5 each, with the sellers promising to refund buyers, after a 24-hour delay, for any card numbers that don't work, according to the listing, which estimates that 30 to 40 percent of the cards remain valid. At those prices, the complete Joker's Stash batch is worth $1.99 million.
"Even though the database name didn’t include a single mention of South Korea, South Korean card details made up the majority in the newly released batch - roughly 49.9 percent … [while ] 49.3 percent were related to U.S. banks and financial organizations," Group-IB says in a new report, adding that it's alerted financial authorities in both countries to the sale.
The card data being offered for sale isn't sufficient for making online purchases, but could still be used to create cloned - aka "white plastic" cards that could be used to withdraw money from ATMs or make illicit in-person purchases, the security firm says.
The origin of the stolen payment card data isn't clear. "Card dumps do not necessarily get compromised in a card-issuing country; the data can be snatched when a card owner travels overseas to a country where advanced payment security measures, such as EMV, are not widely implemented, and uses an infected point-of-sale terminal," according to Group-IB.
"The APAC region has one of the highest travel rates and South Korea is no exception," Shawn Tay, a senior threat intelligence analyst at Group-IB, tells Information Security Media Group. "Back in 2018, an estimated 28.7 million South Koreans traveled out of the country. That is half of the population of the country."
Stolen South Korean Card Data Scarce
Even so, stolen payment card data from South Korea appearing for sale online is unusual.
"While American card dumps have traditionally been most commonly traded in the dark web, the South Korean payment card details are a very rare commodity in the underground," Group-IB Says, noting that it's been eight months since the last time a big batch of South Korean payment card data appeared for sale online.
Historically, the payment card data that commanded the highest prices on carder forums came from the U.S., Canada and Western Europe. But fraud analysts have been seeing increasing amounts of stolen card data that traces to the Asia-Pacific region, and which can command a higher asking price.
"In general, prices for card dumps vary accordingly due to their rarity, validity, whether it’s a platinum or gold card, and some other parameters," Tay says.
APAC: Growing Supply Suppresses Prices
For the APAC region in particular, a glut of cards has been driving down dump prices. "In the first four months of 2020, the average price on APAC-issued dumps has decreased by more than 40 percent compared to the same period in 2019," Tay says. "Low dump prices in this latest database - $5 apiece - also contributed to this. But card dumps related to APAC are still valued quite high, along with European dumps. On average, they are valued more than five times higher than U.S. dumps."
While U.S. card data remains the most sold on cybercrime forums, since 2019, stolen card data from APAC has been second in popularity, Group-IB says.
"APAC is also one of the fastest-developing markets and home to many rising economies, which also explains the focus on the region as a whole," Tay says, noting that attackers appear to be taking an increased interest in APAC card data, including from India and Pakistan (see: Joker's Stash Advertises Second Batch of Indian Card Data).
But Tay warns that not all banks in the region are bringing sufficient fraud-fighting controls to bear on the problem. "Many APAC countries are still developing and maturing their technological advancement in terms of offline and online transactions," he says. "Some banks may not have an adequate fraud detection or monitoring solutions to quickly detect and block compromised payment records immediately. Hence attackers are exploiting this scenario."