Joker’s Stash: Millions of Indian Credit & Debit Card Details Up For Sale on Dark Web

Millions of Indian Credit and Debit Cards up for Sale on Dark Web on Joker’s Stash. Here’s what the fuss is all about.

The Context:

Banking trojans are at work again. Cybercriminals have this time crossed their limits, putting up over 1.3 million Indian debit and credit data of Indian banking customers up for sale on the dark web. These card details are being sold at a price of $100 per card and can help in fetching $130 million to the cybercriminals.

According to a recent report, these card details have been uploaded on Joker’s Stash- the largest and oldest card shop. Joker’s stash is also known to be a place where significant hackers sell card dumps.

If it’s possible to describe a cybercriminal marketplace as ‘reputable,’ then Joker’s Stash fits the description. The site has emerged in recent years as a destination for scammers who buy and sell credit card information stolen after data breaches from victims. Joker’s Stash lists the database of payment card details under the name ‘INDIA-MIX-NEW-01’ and says it includes both track one and track 2 data. Referring to data stored on the magnetic stripe on the back of the card.

Joker’s stash is what security researchers call a ‘card shop.’ Major cyber-crime groups like FIN6 and FIN7 both sell card dumps at Joker’s Stash. The magnetic stripe includes the primary account number and expiration date, including the card verification value or CVV. The criminals buying card dumps from the ‘card shop’ typically use the data to clone legitimate cards and withdraw money from ATMs (cash-outs).

What is the Dark Web?

Picture the Internet as an iceberg. The part above the water is the ‘surface web’ where you can find webpages using your search engines such as Google/ Bing, etc. The part under the water is the ‘deep web.’ This is where you are when you sign in to your bank account online with your username and passwords. The ‘Dark web’ is a small part of the deep web.

Mozilla Firefox, Chrome, Internet Explorer and other commonly used web browsers won’t get you there; you need a special browser such as Tor Browser. Tor can be used to go anywhere on the internet if a URL ends with ‘.onion’ it’s in the dark web and only accessible via Tor.

Identity thieves use the Dark Web to buy and sell personal information. If you have ever been a victim of a data breach, the Dark Web is a place where your sensitive information might live. The criminals potentially use your sensitive information to commit fraud.

The Process:

The attackers tend to drip-feed payment card data onto cybercrime markets so as not to flood the market all at once and drive down their asking price. It is more lucrative to sell databases separately in smaller pieces for the sellers to consistently maintain interest in a database.

Analysts shared their thoughts that the card details were obtained from skimming ATMs and PoS systems. Joker’s Stash implemented the use of Blockchain DNS via browser extension in 2017, alongside a Tor marketplace to lower barriers of access for new customers. The peer-to-peer nature of the service renders the Joker’s Stash marketplace more impervious to takedowns by DNS authorities.

The Joker’s Stash market is now broken into three main sections: dumps, cards, and SSNs. Dumps and cards are both related to stolen payment card data; dumps refer to the Track 2 – and in some cases, Track 1 – data on the magnetic stripe of a payment card. Cards include the full data associated with a card-not-[resent transaction, such as the payment card number, expiration date, and CVV number. 

The SSN section represented a serious update to the marketplace, providing a more persistent fraud vector compared to the relatively short usefulness of credit card data. A comprehensive amount of persona details at $5 per record, searchable by first and last name, and at least one other identifies like ‘date of birth’ or ‘state.’ If the record is still available and unpurchased, the website will show a ‘buy’ button. Records indicated as ‘too late to buy’ have already been purchased by another threat actor, and are likely in use.

The SSNs are searchable bulk and can be filtered by location. The additional PII, including the recent address and ZIP code, may allow for specific area targeting by fraudsters, potentially facilitating fraud against regional banks, credit unions, or smaller retail chains. This is the most prominent market or forum Recorded future is aware of that peddle SSNs in a bulk manner.

The Impact: 

Stolen data traces to Indian banks. The cards listed for sale, out of which 98% appear to have been issued by Indian banks, with single banks accounting for more than 18% of all the dumps. 1% of the cards appear to have been issued to Columbian banks. The most unusual about this sale is that majorly, all payment cards have been uploaded at once.

Indeed the largest card database encapsulated in a single file ever uploaded on underground markets at once. The interesting fact about the breach is that the database that went on sale hadn’t been promoted prior either in the news, on card shop, or even on forums on the darknet. In the last 12 months, it is the only big sale of card dumps related to Indian banks.

Cards are being sold at a top-tier price of $100/ card, putting the hackers on a trajectory of making more than $130 million from the source of a possible breach. 98% belong to Indian banks, 1% to Colombian, and more than 18% of the 550K card dumps analyzed so far belong to a single Indian bank.

Today’s Indian card dump is the third major card dump this year, in terms of size. In February, card details of 2.15 million Americans were similarly put up for sale on Joker’s Stash as a part of card dump nicknamed the ‘DaVinci Breach.’ In August, nearly 5.3 million card details obtained from Hy-Vee customers were also dumped on Joker’s Stash. Two smaller dumps of 890,000 and 230,000 were also reported belonging to South Korean users.

Over the past five years, Joker’s Stash has become one of the premier underground credit card shops throughout the world. Companies like Target, Walmart, Saks Fifth Avenue, Lord & Amp, Taylor, and British Airways had significant data breaches. Form a released in late August 2019, Joker’s Stash lists 5.3 million credit card numbers related to the breach.

How to Protect Yourself from Skimming?

Credit or Debit card skimming devices are designed to look like the hardware on an existing ATM, or like a regular, in-store card reader. When a credit card has proceeded through one of these devices, it can capture the details stored on the card’s magnetic strip. Skimming thieves later return to gather all the stolen data of the people who’ve used the tampered ATM or in-store device. Following are some at-hand listed things to protect yourself against this malicious fraud:

1. Keep your card in sight: If you are in a store or restaurant, make sure you hold onto your card or keep it within your sight at all times so that you know it is only being used on the one machine.
2. Never share your PIN: Don’t disclose your PIN, don’t write it down and definitely do no keep a copy of it in your wallet together with your card.
3. Be discreet with your PIN: As pretty as it might sound, covering the keypad as you enter your PIN could help prevent someone stealing from you via CCTVs or webcams.
4. Look for signs of tampering: Before you use an ATM, always check for any suspicious features. You can also try wiggling parts of the machine as legitimate ATMs are solid constructions that don’t usually have loose or moving parts.
5. Avoid outdoor ATMs: While this isn’t always necessarily true, an ATM inside the mall is generally safer than alone outdoor ATMs on streets, platforms, based on the logic that the former location makes it harder to tamper with.
6. Check your credit card statement: Regularly keeping an eye on your card statement is a good habit, and it’s now even easier for online banking. You will be able to identify fraudulent transactions as soon as they happen, and your account can be frozen to prevent more theft.
7. Report suspicious activity: Immediately call your bank or the ATM provider or the local authorities as to when you encounter suspicious activity.
8. Check out the location: Thieves always look for undetected, uninterrupted access to point-of-sale terminals. Hence make sure to use a machine that is in a brightly lit area where lots of people walk past often.
9. Email address and phone number: It’s not worth to change them, but be on guard for your email address being used to send spam or your phone number being ‘spoofed’ to make calls look like they’re coming from you.
10. Set up notifications: Setting up notifications on checking account and credit cards. Set alerts that tell you every time a charge is more or every time there’s a ‘card not present’ transaction. 

Taking Precaution Steps:

However, learning your information is on the dark is just the first step.

1. If you find your credit card or bank account numbers on the dark web, let your card issuer or lender know so that they can help you close the account and open a new one.
2. If your diver’s license or passport is found, contact your Department Motor Vehicles, respectively.
3. If your Social Security number is on the dark web, report to the Social Security Administration and the Internal Revenue Service.
4. If your passwords are on the dark web, change it on all accounts and where you use it. You can change your security questions as well.

If you are a data breach victim, take advantage of free identity theft services if they’re offered. Do not get swayed by fraud tactics, claiming that an identity theft service can prevent you from becoming victim, or million-dollar guarantees. If cyber thieves use your personal information to commit fraud, first contact the companies where the fraud took place. They’ll freeze the accounts so no further damage can be done. Obviously, changing your passwords and PINs used to access is the very next step.

Interested in learning more about cyber attacks? Well, head towards the blog for a more detailed analysis of the attacks. To know more, visit here!

Stay Updated. Stay Protected!