Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

A Crash-Course in Card Shops

The notorious Joker’s Stash is perhaps the best-known of many illicit shops in the deep & dark web (DDW) that specialize in, and serve as a primary means through which cybercriminals obtain, stolen payment card data. Commonly referred to as card shops, these shops can also be invaluable resources for those seeking to better understand and combat fraud and cybercrime.

The notorious Joker’s Stash is perhaps the best-known of many illicit shops in the deep & dark web (DDW) that specialize in, and serve as a primary means through which cybercriminals obtain, stolen payment card data. Commonly referred to as card shops, these shops can also be invaluable resources for those seeking to better understand and combat fraud and cybercrime. Here’s a crash-course in how card shops operate and some key considerations for security practitioners:

Card shops are usually one-stop shops

The widespread popularity of card shops in the underground economy is driven largely by their convenience. Rather than using point-of-sale malware or installing a skimmer on a physical card reader to steal the data—and face the risks and up-front costs of doing so—themselves, cybercriminals can simply purchase previously-stolen data from a card shop. 

In most cases, buyers can make purchases directly through a shop’s interface by loading funds from a cryptocurrency wallet onto their shop account. Many shops provide online checkers that enable prospective buyers to verify the validity of the card data; certain shops have even been known to offer refunds within a given time period after a purchase if a card number is invalid. 

Cybercrime MarketplaceThese conveniences have helped make it faster and easier than ever before for cybercriminals of nearly all skill levels to abuse and profit from stolen payment card data.

Dumps versus Cards

Dumps and Cards are the two types of information most commonly bought and sold on card shops. Both are gathered in different ways and support different types of illicit schemes. Dumps, which typically comprise track 1 and/or track 2 data stolen from the magnetic stripe of a payment card via skimmers or point-of-sale malware, are used for cloning physical cards for in-store fraud. 

Cards, meanwhile, are sets of payment card numbers and the other information—such as CVV code, expiration date, cardholder name, and billing address—required for online carding or card-not-present (CNP) fraud. Some sellers will also offer Cards with varying levels of fullz, or full packages of personally identifiable information (PII). Fullz can include a victim’s social security number, date of birth, phone number, email address, and other information threat actors can use to carry out and profit from various forms of fraud or identity theft. 

Indeed, while card shops cater largely to those looking to engage in payment card fraud, many shops and sellers offer information that is also conducive to a number of other fraud and cybercrime schemes.

Advertisement. Scroll to continue reading.

The role of Bank Identification Numbers

Card shops usually sort card information, for both Dumps and Cards, by Bank Identification Number (BIN). As their name implies, BINs specify from which bank a payment card has been issued. Threat actors can use this information to identify what security measures are in place at a given bank and, as a result, whether a card issued by that bank is a feasible target. Many actors have even been known to maintain “BIN lists” that track the BINs most conducive to fraud.

The key takeaway here is to remember that cybercriminals often go to great lengths to understand and circumvent security measures they’re up against.

Not all shops are created equal

Reputable or “top-tier” card shops are generally those that have been around for a significant amount of time and tend to have strong connections to stolen payment card data providers. These shops are more likely to retain a loyal customer base that trusts the card data they purchase will be valid. Refunds for invalid card numbers are much more common among top-tier shops. Less-reputable or lower-tier shops, however, have been known to draw their offerings from the same breach databases; this practice typically results in card data that is older and has lower validity rates. Refunds are much less common among lower-tier shops.

Shop tiers and reputations are particularly important for security practitioners to consider because they can help shed light on the source and timeliness of a potential compromise. Top-tier card shops are more likely to sell unused card data sourced directly from a recent breach, whereas lower-tier shops may offer previously-abused data recycled from older breaches. In some cases, offerings can mislead prospective buyers—as well as security practitioners—into believing that a new breach has occurred even when it hasn’t.

Above all else, it’s crucial to recognize that card shops will almost certainly continue to remain a focal point of the underground economy and key driver of fraud and cybercrime. But given the many nuances, and in some cases, risks, inherent to their operations, security practitioners looking to obtain greater visibility into card shops and the data they harbor are encouraged to seek the guidance and assistance of trusted experts.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.