On January 3rd, 2020, a member of an online forum that caters to cybercrime posted an unusual message offering a spreadsheet containing details of 10,000 American Express cardholders for free, as reported by Bleeping Computer. The data appeared to contain the card number, name, birthdate, address, and phone numbers of cardholders in Mexico. Still, it did not include the card expiration dates, CVV numbers, or data from magnetic stripe tracks necessary for criminals to make fraudulent purchases with the card data. The threat actor who posted the spreadsheet stated, “I do not sell private data such as password, card information, id number. With the data I sell or share, you are only exposed to spam or marketing :)”
Binary Defense analysts also found the information described in this article as part of the regular monitoring of criminal forums and Darknet sites in our Counterintelligence service. Binary Defense tracks many phishing and telephone-based scams designed to elicit sensitive information such as passwords from targeted individuals. The most damaging phishing campaigns resulting in the highest number of victims make use of personalized information to make the scam seem legitimate. If a scammer on the phone spoofs their caller ID to match the victim’s bank phone number, and the caller has the victim’s card number, date of birth, and address, it can seem very convincing that they represent the bank. One such scam that has been prevalent recently involves placing a phone call pretending to be a bank to convince the victim to respond to text messages that the scammer says are to prevent fraud on the bank account. In reality, it gives the scammer access to transfer money out of the victim’s bank account using the Zelle person-to-person payment system. Details such as those provided in the free spreadsheet enable criminals to carry out these scams much more effectively. To protect against these scams, do not trust caller ID to identify a bank employee on the phone, and never give out passwords to anyone who calls or emails a link. If in doubt about the authenticity of a caller, hang up and call the bank at a published phone number. Enable Multi-Factor Authentication (MFA) to protect online accounts even if a password is stolen, and take quick action to secure accounts if a compromise is suspected.