Joker’s Stash is known as the Internet’s most popular “carding shop” for criminals to buy and sell stolen credit cards. Group-IB recently discovered 1.3 million payment card details up for sale on the site. “More than 98% belong to Indian banks, 1% to Colombian, and more than 18% of the 550K cards that have been analyzed so far belong to a single Indian bank,” stated Group-IB. The cards are being sold for around $100 per card, setting the criminals up to make a hefty profit of around $130 million if all of the cards are sold. Since the information is fresh, researchers from Group-IB have not yet been able to determine the source of a possible breach that the information may have come from. However, there have been some early examinations that suggest the information may have come from skimming devices that were installed on PoS (Point-of-Sale) systems or ATMs. Track 1 and Track 2 data which is typically located on a credit or debit card’s magnetic strip was found with the payment cards, ruling out a Magecart attack because these are carried out with e-skimmers installed on e-commerce websites, whereas Track 1 and Track 2 data isn’t seen. Furthermore, there are multiple banks that the cards come from, leaving out the chance of just one bank’s ATM system being compromised. This is one of the largest dumps that has been seen this year and all of the cards were placed on the site at the same time. This means that the threat actor group responsible for the dump is likely trying to sell as many cards as they can before banks take defensive anti-fraud measures to block the use of the cards to make purchases.
When consumers notice suspicious transactions on their credit or debit card statements, the issuing financial institutions should be notified immediately. It is important to understand the bank’s reporting requirements and the number of days the cardholder has to report fraud before the cardholder will be liable to pay for the fraud. Credit cards typically have longer windows of time to report fraud as opposed to debit cards and have the added benefit of not withdrawing the money directly from the connected checking account when fraud occurs. It is helpful to check recent transactions online or over the phone on a weekly basis, and to register for text alerts from the issuing bank every time the card is used to make a transaction over a threshold dollar amount (for example, a message is sent to the cardholder whenever a purchase over $100 is made on the card). Keeping recurring transactions on a separate card than the one used for everyday purchases can help alleviate some stress and difficulty while waiting for a new card to be issued. Even after the proper steps have been taken, cardholders should monitor their accounts to make sure the bank reverses any fraudulent charges. More information regarding this incident can be found here: https://www.zdnet.com/article/details-for-1-3-million-indian-payment-cards-put-up-for-sale-on-jokers-stash/, https://www.group-ib.com/media/biggest-card-database-ever/