Indian bank cards are up for sale on the dark web

RapidVPN/ December 17, 2019/ Blog/

A huge database holding more than 1.3 million credit and debit card records were uploaded on darknet on October 28. According to the researchers, most of these records belong to the customers of Indian banks and the underground market value of the database is estimated at more than $130 million.

The cybersecurity company behind this sensational revelation is Singapore sited Group-IB, specialized in preventing cyberattacks. Earlier, Group-IB claimed that government agencies and educational institutions are in danger of huge cyber threat as hundreds of compromised credentials were put up for sale on the dark web. Now, the experts revealed that database under the name “INDIA-MIX-NEW-01″ (full name: ” INDIA-MIX-NEW-01 (fresh skimmeD INDIA base): INDIA MIX TR1+TR2/TR2, HIGH VALID 90-95 percent, uploaded on October 28 (NON-REFUNDABLE BASE) has been on sale on one of the most notorious underground card shops, called Joker’s Stash

Joker’s Stash is what security researchers call a “card shop,” a term used to describe an online marketplace where criminal groups sell and buy payment card details – advertised as “card dumps.”

Joker’s Stash is one of the oldest card shops around, is available on the dark web, and is also known to be the place where major cyber-crime groups like FIN6 and FIN7 both sell card dumps.

Criminals who buy card dumps from Joker’s Stash typically use the data to clone legitimate cards and withdraw money from ATMs in so-called “cash outs.”

The compromised database contains only credit and debit card dumps Track 2, while its name suggests that it holds both Track 1 and Track 2 records. Track 2 dumps can be used to produce cloned cards for further cashing out. Its threat Intelligence team has analyzed all the card dumps from the database, more than 98 percent of which belong to Indian banks, 1 percent – to Colombian. In a news release, the company stated that as per its researchers over 18 percent of the dumps in the database are related to a single Indian bank. 

Because the advert for the latest cards was published only hours ago, Group-IB said they hadn’t had the time to analyze and look into the source of a possible breach. Early data analysis suggests the card details may have been obtained via skimming devices, installed either on ATMs or PoS systems.

Group-IB also found that database includes a total of more than 1.3 million records which means it is one of the biggest single databases ever uploaded at once on underground markets and probably one of the most expensive ones. The cards are being sold at a top-tier price of $100/card, putting the hackers on a trajectory of making more than $130 million from their latest haul.

Ilya Sachkov, CEO and founder of Group-IB said “Big payment data leaks have indeed happened before; however, the databases are usually uploaded in several smaller parts at different times,” adding that “This is indeed the biggest card database encapsulated in a single file ever uploaded on underground markets at once.”

Indian card dump is the third major card dump this year, in terms of size.

In February, card details for 2.15 million Americans were similarly put up for sale on Joker’s Stash as part of a card dump nicknamed the “DaVinci Breach.”

In August, nearly 5.3 million card details obtained from Hy-Vee customers were also dumped on Joker’s Stash.

Two smaller card dumps, of 890,000 and 230,000, were also reported in July and June, both belonging to South Korean users.

However, all the card dumps listed above were released in small batches, over time. This one was published in one go, suggesting the threat actors may want to monetize as many as possible before banks intervene to deploy countermeasures or invalidate cards.

The Russian IT entrepreneur, Sachkov also mentioned that in this recent case it should be noticed that the database that went on sale hadn’t been promoted prior either in the news, on card shop or even on forums on the darknet. He said the cards from this region of the world are very rare in underground markets. He added that “in the past 12 months it is the only big sale of card dumps related to Indian banks. Group-IB’s Threat Intelligence customers have already been notified about the sale of this database. The information was also shared with proper authorities.”

Furthermore, the cards varied wildly in terms of issuing banks, coming from multiple banks, and not just one — ruling out a compromise of one single bank’s ATM system.

Who is most affected?

Group-IB’s Threat Intelligence team has analyzed more than 550K card dumps from the database holding more than 1.3 million credit and debit card records uploaded on the darknet.

“More than 98% belong to Indian banks, 1% – to Colombian, and more than 18% of the 550K cards that have been analyzed so far belong to a single Indian bank,” the company added.

Group-IB told that this card dump was its sheer size, with most similar card dumps being much smaller, and usually including card details from all over the world, and not just one.