Security Experts:

A Crash-Course in Card Shops

The notorious Joker’s Stash is perhaps the best-known of many illicit shops in the deep & dark web (DDW) that specialize in, and serve as a primary means through which cybercriminals obtain, stolen payment card data. Commonly referred to as card shops, these shops can also be invaluable resources for those seeking to better understand and combat fraud and cybercrime. Here’s a crash-course in how card shops operate and some key considerations for security practitioners:

Card shops are usually one-stop shops

The widespread popularity of card shops in the underground economy is driven largely by their convenience. Rather than using point-of-sale malware or installing a skimmer on a physical card reader to steal the data—and face the risks and up-front costs of doing so—themselves, cybercriminals can simply purchase previously-stolen data from a card shop. 

In most cases, buyers can make purchases directly through a shop's interface by loading funds from a cryptocurrency wallet onto their shop account. Many shops provide online checkers that enable prospective buyers to verify the validity of the card data; certain shops have even been known to offer refunds within a given time period after a purchase if a card number is invalid. 

Cybercrime MarketplaceThese conveniences have helped make it faster and easier than ever before for cybercriminals of nearly all skill levels to abuse and profit from stolen payment card data.

Dumps versus Cards

Dumps and Cards are the two types of information most commonly bought and sold on card shops. Both are gathered in different ways and support different types of illicit schemes. Dumps, which typically comprise track 1 and/or track 2 data stolen from the magnetic stripe of a payment card via skimmers or point-of-sale malware, are used for cloning physical cards for in-store fraud. 

Cards, meanwhile, are sets of payment card numbers and the other information—such as CVV code, expiration date, cardholder name, and billing address—required for online carding or card-not-present (CNP) fraud. Some sellers will also offer Cards with varying levels of fullz, or full packages of personally identifiable information (PII). Fullz can include a victim’s social security number, date of birth, phone number, email address, and other information threat actors can use to carry out and profit from various forms of fraud or identity theft. 

Indeed, while card shops cater largely to those looking to engage in payment card fraud, many shops and sellers offer information that is also conducive to a number of other fraud and cybercrime schemes.

The role of Bank Identification Numbers

Card shops usually sort card information, for both Dumps and Cards, by Bank Identification Number (BIN). As their name implies, BINs specify from which bank a payment card has been issued. Threat actors can use this information to identify what security measures are in place at a given bank and, as a result, whether a card issued by that bank is a feasible target. Many actors have even been known to maintain “BIN lists” that track the BINs most conducive to fraud.

The key takeaway here is to remember that cybercriminals often go to great lengths to understand and circumvent security measures they’re up against.

Not all shops are created equal

Reputable or “top-tier” card shops are generally those that have been around for a significant amount of time and tend to have strong connections to stolen payment card data providers. These shops are more likely to retain a loyal customer base that trusts the card data they purchase will be valid. Refunds for invalid card numbers are much more common among top-tier shops. Less-reputable or lower-tier shops, however, have been known to draw their offerings from the same breach databases; this practice typically results in card data that is older and has lower validity rates. Refunds are much less common among lower-tier shops.

Shop tiers and reputations are particularly important for security practitioners to consider because they can help shed light on the source and timeliness of a potential compromise. Top-tier card shops are more likely to sell unused card data sourced directly from a recent breach, whereas lower-tier shops may offer previously-abused data recycled from older breaches. In some cases, offerings can mislead prospective buyers—as well as security practitioners—into believing that a new breach has occurred even when it hasn’t.

Above all else, it’s crucial to recognize that card shops will almost certainly continue to remain a focal point of the underground economy and key driver of fraud and cybercrime. But given the many nuances, and in some cases, risks, inherent to their operations, security practitioners looking to obtain greater visibility into card shops and the data they harbor are encouraged to seek the guidance and assistance of trusted experts.

view counter
Josh Lefkowitz is the CEO of Flashpoint, which delivers Business Risk Intelligence (BRI) to empower organizations worldwide with meaningful intelligence and information that combats threats and adversaries. Lefkowitz has worked extensively with authorities to track and analyze terrorist groups. He has also served as a consultant to the FBI's senior management team and worked for a top tier, global investment bank. Lefkowitz holds an MBA from Harvard University and a BA from Williams College.