The credit card data was put on Joker’s Stash underground forum in four batches
Security researchers at Group-IB[1] discovered a new data leak – this time, it concerns Turkey-issued credit card details. According to several news networks, more than 450,000 payments cards are being sold on the underground credit card market Joker’s Stash, and it is one of the largest data bumps of such kind in recent years.
According to news outlet ZDNet,[2] the data was uploaded in four different batches between October 28 and November 27 this year, and each consisted of 30,000 30,000, 190,000, 250,000 entries, respectively. If malicious actors were to sell all the data, they are bound to earn more than half a million US dollars.
It is not the first time Joker’s Stash was mentioned in the news. In late October, 1.3 million credit and debit card details (making it the biggest posting to date) were listed on the same underground forums, mainly belonging to users of various Indian banks.[3] Without a doubt, if malicious actors can sell sensitive information for merely 1 – 3 dollars a piece, the data must be easily obtainable, and more users need to be aware of the dangers of such exposure.
The sold information comes from different Turkish banks
The offered information included data from various user accounts (Personal, Gold, Classic, etc.) and also referred to credit, as well as debit cards. The listing by malicious actors explained that all the information presented in the database includes all the necessary details in order to make online purchases and other non-card related transactions, such as CCV’s, expiration dates, and other data, as explain Group-IB researchers:
All the compromised credit and debit cards records in this database were identified as raw cards data also known as ‘CCs’ or ‘fullz’ and contained the following information: expiration date, CVV/CVC, cardholder name as well as some additional info such as email, name and phone number.
Card details uploaded on October 28 (named TURKEY-MIX-01 and TURKEY-MIX-02) were listed for $3 each, while the latter two batches pasted on November 27 (TURKEY-MIX-03 and TURKEY-MIX-04) included a “special price” of $1 per credit/debit card. The post claimed that 85% to 90% of the cards posted are still valid and in working order.
Because most of the credit card details came from various (top) Turkish banks, experts believe that the hack is not related to a single bank, ad there are three possibilities oh how the data ended up in threat actors’ hands:
- JavaScript skimmers installed on the eCommerce sites that handle online payments
- Malware that could harvest data was installed on thousands of users’ computers
- Victims entered the credit card details themselves into spoofed/phishing websites crafted specifically for the purpose.
JavaScript-based skimmers are the likely culprit of the data leak
While malware infections and spoofing sites still remain a possibility, the fact that most of the data came from Turkey suggests that card skimmers were the likely attack vector, although Group-IB experts said that “the source of this compromise remains unknown.”
Credit card skimmers have gained popularity in recent years, and multiple high-profile hackers employ the technique in order to mass-harvest credit card details. For example, the notorious Magecart[4] hit targets like Shopper Approved, Macy’s, Garmin, Ticketmaster,[5] and many others, resulting in millions of users’ credit card detail compromise.
Without a doubt, Turkish users should immediately start monitoring their online banking to ensure no money is taken directly from the account. After data compromise like this one, victims might face money loss, targeted phishing campaigns, or even identity fraud. Upon detection of malicious activity, users should immediately contact the corresponding bank, request a refund, and cancel your credit/debit card immediately.