Image: © Mario beauregard/Stock.adobe.com
Hackers are selling credit cards for as little as $15 to prospective buyers, as well as offering tailored cybercrime-as-a-service offerings.
Having payment cards cloned can be utterly catastrophic for victims, yet for the cybercriminals stealing the information, individual card details are barely worth the plastic they’re printed on. The latest research from the Armor Threat Resistance Unit (TRU) has found that threat actors are selling credit card information on dark web forums for as little as $15 per card.
The Armor research team spent five months, from February to June 2019, combing through both English and Russian-speaking dark web markets and forums to research the kinds of services and goods that can be purchased and how much they’re actually worth.
Details of a Visa or Mastercard payment card coming from the EU and the UK can fetch anything from $15 to $30. This includes the card’s CVV. Anyone seeking additional information such as a cardholder’s date of birth or the bank identification number of the card will pay extra, but the maximum reported value of a debit card was still just north of $100.
US cards are worth considerably less (between $5 and $20), something that Chris Hinkley, head of Armor’s TRU, speculated could be due to a number of different factors.
“It just depends. It depends on the threat actor, the supply and demand. There may be less UK information [available]. It could be also that there’s a lot more data regulation in the UK and EU.”
‘As attackers catch up and understand the loopholes, I think we’re going to have to evolve again as defenders’
– CHRIS HINKLEY
He also noted that the low price of the cards, which has decreased since Armor last examined this data, likely stems from the fact that there are plenty of opportunities for threat actors to nab credit card information.
“There are tons of ways to get credit card data, whether it’s compromising a site that stores credit card data or payment processor. Also, if you go to a gas or petrol pump, or even a point-of-sale terminal, or even hand your card to a waiter at a restaurant, there are multiple ways to get that information.”
The impending PSD2 framework will, among other things, make strong customer authentication (SCA) standard for online card-not-present payments. “I think it might mitigate [cybercrime] in the short term,” Hinkley explained, when asked about whether he thinks the new provisions will curtail fraud.
“I think it will stave off theft in the short term but as attackers catch up and understand the loopholes, if you will, I think we’re going to have to evolve again as defenders.”
Ransomware-as-a-service
One of the most interesting trends Armor observed is the continued rise of ransomware-as-a-service, in which threat actors offer to provide ransomware for other people’s purposes. The higher the level of customisation required, the higher the cost. As the cost of the service increases and gets into the thousands of dollars, the technical skill required to execute the ransomware decreases sharply.
“Someone with almost no technical ability can pay more for ransomware-as-a-service, and they almost have a click-and-point web portal in order to carry out that attack – the hardest part being actually getting the malware onto the target’s system,” Hinkley said.
One of the most expensive forms of the service, entitled MegacCortex, is one that is highly customisable and can have the messages and ransom amounts tailored to the individual target. It is best suited for attack on an organisation’s actual infrastructure and offers the attacker a lot more control.
“MegaCortex is executed, in most cases, by the attacker. The attacker can control the executing environment and have more control over infection and encryption,” Hinkley added.
“Not only is the ransomware built to be executed in a different manner than most, it employs several sophisticated techniques for evasion including attempting to kill close to 1,400 Windows tasks and processes, which aids in its elusiveness.”
You can read the Armor report in full here.
