Group-IB, a Singapore-based cybersecurity company that specializes in preventing cyberattacks, has detected a massive upload of debit and credit card records mostly related to the largest Turkish banks on one of the most popular underground cardshops. More than 460,000 records in total were uploaded between Oct. 28 and Nov. 27. The underground market value of the database is estimated at more than $0.5 million. Upon discovery of this database, Group-IB has informed proper local authorities about the sale of the payment records, so they could take necessary steps.
Using its own unique tools for underground forums and cardshops monitoring, research and analysis Group-IB Threat Intelligence team has discovered that compromised payment records predominantly related to TOP 10 Turkish banks were uploaded in four parts to Joker’s Stash – one of the most popular underground cardshops. The first two databases named “TURKEY-MIX-01 (FRESH SNIFFED CVV) 30.000 cards TURKEY MIX, HIGH VALID 85-90%, uploaded 2019-10-28 (NON-REFUNDABLE BASE)” and “TURKEY-MIX-02 (FRESH SNIFFED CVV) 30.000 cards TURKEY MIX, HIGH VALID 85-90%, uploaded 2019-10-28 (NON-REFUNDABLE BASE)” went on sale on 28.10.2019 and had 60,000 pcs. All the cards in these two parts were sold at 3$ each.
The two other parts of the database under the names “TURKEY-MIX-03-SPECIAL-PRICE-1USD (FRESH SNIFFED CVV) 190.000 cards TURKEY MIX, HIGH VALID 85-90%, uploaded 2019-11-27 (time for refunds: 15 minutes)” and “TURKEY-MIX-04-SPECIAL-PRICE-1USD (FRESH SNIFFED CVV) 205.000 cards TURKEY MIX, HIGH VALID 85-90%”, uploaded 2019-11-27 (time for refunds: 15 minutes) were uploaded on 27.11.2019. “TURKEY-MIX-03” had roughly 190,000 records, while “TURKEY-MIX-04” had about 205,000 cards. The cards were valued at 1$ each.
Neither of these four parts that went on sale had been promoted prior either in the news, on card shop or even on forums on the darknet. It is also worth noting that the cards from Turkey are very rare on the
“A breakdown of the data indicated that all the cards could have likely been compromised online either due to phishing, malware or increased activity of Java-Script sniffers,” commented Dmitry Shestakov, Head of Group-IB сybercrime research unit. “All the compromised credit and debit cards records in this database were identified as raw cards data also known as “CCs” or “fullz” and contained the following information: card number, expiration date, CVV/CVC, cardholder name as well as some additional info such as email, name and phone number, which, unlike card dumps (the information contained in the magnetic stripe), cannot be obtained through the compromise of offline POS terminals. Upon identification of this information, Group-IB team has immediately alerted relevant Turkish local authorities about the sale of the payment records, so the former could take appropriate measures and mitigate the risks. The source of this data compromise remains unknown.”
To avoid a card being compromised online due to JS-sniffers, Group-IB experts recommend that users should have a separate pre-paid card for online payments, set spending limits on cards, used for online shopping, or even use a separate bank account exclusively for online purchases. The
About the author Group-IB:
Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection. Group-IB is a partner of INTERPOL, Europol, and has been recommended by the OSCE as a cybersecurity solutions provider. Group-IB is a member of the World Economic Forum.
(SecurityAffairs – payment card details, cybercrime)