A Russian hacker has sold $38 million USD worth of gift cards on a forum that included close to 900,000 unique gift cards. The cards were from stores that included Airbnb, Amazon, American Airlines, Chipotle, Dunkin Donuts, Marriott, Nike, Subway, Target, and Walmart. The data went up for auction with a starting bid at $10,000 and was quickly sold for the price of $20,000. According to researchers at Gemini Advisory, the value of each card was 0.05% of the actual card’s worth. Typically gift cards are sold for 10% of their value, which points to the fact that the data set could be worth a lower value than appraised by the threat actor or it could include old and outdated cards. Researchers also stated that the dollar amount appraised by the attacker could have been higher to draw attention to the auction. More details lead researchers to believe the data came from the now shut-down carding site Cardpool.
After the attacker sold the gift cards, they then went on to set up an auction that included 330,000 debit cards. The info available included billing addresses, card number, expiration date, and the issuing bank’s name. The CVV code was not included in the dataset, which is required for online purchases. It is prohibited for companies to store the CVV numbers of people who use their website, but they can choose to store other details of the card. The data also did not include the magnetic stripe data or the PIN required to withdraw cash from ATMs. Because the website accepted payment for gift cards from debit cards and the data is being sold by the same actor, researchers at Gemini Advisory concluded all the data sold also likely came from Cardpool.
Gift card information and debit card information have always been highly sought-after information on underground forums. Oftentimes attackers will buy debit card information cheap, and then use the cards to purchase items for themselves or sell items in online auctions and ship the fraudulently purchased items to the highest bidder until the charges are marked as fraudulent and the card is shut down. People should be wary of the websites they are giving their card information to. To better protect themselves, people should use one-time use credit cards for online purchases to prevent threat actors from accessing their actual card numbers.