Details of 1 million credit cards released for free on the Deep Web

Nearly 1 million credit cards were released in an effort to promote carding market

A new website containing over 2 million credit cards for sale

A new cybercrime market page AllWorld.Cards has been discovered by researchers at D3Lab.^[1] The report states that this was done to spread awareness about the website and the services it provides. The forum was created in May, and the site now has 2,634,615 stolen credit cards. According to analysts, 50% of cards are still operational. Cards for sale vary in price between $0.30 and $14.40, with 73% of the cards costing between $3.00 and $5.00.

Additionally, it was found out that card information was stolen between 2018 and 2019, which makes it hard to determine the source. Leaked credit card details include credit card numbers, expiry dates, CVV, names, countries, states, cities, addresses, zip codes, emails, and phones.

D3Lab sent the permanent account numbers (PANs) of the credit cards recovered to the client banks to let them carry out the appropriate mitigation actions.

While Cyble, the Dark Web and Cybercrime monitoring partner, has only analyzed 400,000 cards so far, the top five affected banks are:

1. State Bank Of India – 44,654 cards
2. JPMorgan Chase Bank N.A. – 27,440 cards
3. BBVA Bancomer S.A. – 21,624 cards
4. The Toronto-Dominion Bank – 14,647 cards
5. Poste Italiane S.P.A. (Banco Posta) – 14,066 cards

And the top five affected countries are:

1. India – 200,359 cards
2. Mexico – 91,278 cards
3. United States – 83,433 cards
4. Australia – 80,023 cards
5. Brazil – 72,576 cards

Carding market

Information security professionals use the term “carding” to describe threat actors stealing credit card information to sell it online to other criminals who can create cloned physical cards to use in-store. Originally, most skimming was done by placing a physical device on a card reader. These devices were able to read the credit card data from the magnetic strip when swiped. The threat actor was able to steal credit card information without anyone knowing if done secretly. Most physical card skimming today is used at self-service gas stations and outdoor ATMs.

These days electronic skimming is replacing physical skimming on the Deep Web. This is the result of increasing online shopping. From the start of the Covid-19 pandemic, it has reached its all-time high. These attacks are known as Magecart, named after early attacks targeting online shops that used Magento software.

D3Lab mentioned in their report that sites like AllWorld.Cards get most of their stolen credit cards from point-of-sale attacks at gas stations, supermarkets, and some e-commerce sites. After the theft, attackers use bots to test lists of recently stolen credit and debit card details on merchant sites.

The carders then use verified credit card details to directly draw funds from exposed accounts or purchase gift cards that can easily be converted into consumer goods, like cell phones, computers, etc. Maimon explained:

These goods are then resold – often via e-commerce sites offering a degree of anonymity for a profit. As these cards were stolen between 2018-2019, it stands to reason that most are no longer valid, especially if they are publicly dumped and multiple actors will jump on them at the same time.

Protect yourself from credit card fraud

The most obvious form of credit card fraud is theft. Card numbers can be stolen through various techniques, including electronic skimming, physical skimming, or malware attacks. For example, people might go through the trash and find your discarded billing statements. A website you previously shopped online on can get hacked, and the information you provided might get stolen. While dining out, a waiter could take a photo of your credit card.

So including safety practices recommended by the Federal Trade Commission^[2] in your daily routine can help to keep your account numbers safe:

Do not give your account number to anyone on the phone unless you’ve made the call to a company you know to be reputable. If you have never done business with them before, do an online search first for reviews or complaints.

Carry your cards separately from your wallet. It can minimize your losses if someone steals your wallet or purse. And carry only the card you need for that outing.

During a transaction, keep your eye on your card. Make sure you get it back before you walk away.

Never sign a blank receipt. Draw a line through any blank spaces above the total.

Save your receipts to compare with your statement.

Open your bills promptly – or check them online often – and reconcile them with the purchases you have made.

Report any questionable charges to the card issuer.

Notify your card issuer if your address changes or if you will be traveling.

Do not write your account number on the outside of an envelope.

Cybersecurity company Cyble^[3] imported the stolen data into their AmIBreached service, so you can check if your credit card information was released. If you have found your information on the Deep Web, you should contact your bank to request a new credit card and number.