According to Group-IB, “more than 200,000 (22%) of compromised payment cards were from the Indian banks, followed by Mexican (9%), US (9%), and Australian (8%) financial institutions”.
Visa and Mastercard dominate the leaked database with 48% and 47% of the cards, respectively. Around 4%, or about 39,000 cards, are attached to RuPay, a global card-payment network launched by the National Payments Corporation of India (NPCI) to compete with foreign payment networks.
Debit and credit card users must up their vigil and be on the lookout for any suspicious transactions and must inform their issuing banks immediately in case of any suspicious transactions.
All World Cards, a cybercriminal group believed to have Russian links, had posted the links to a file containing details of more than a million cards from more than 1,000 banks in more than 100 countries on several Dark Web forums on August 2.
Crucially, “less than 2% of the cards from the database overlap with the bank card data previously offered for sale on any underground resources”, according to Group-IB.
Researchers say that the database was contained in a password-protected zip archive with a text file containing 1 million lines with card number, expiration date, CVV/CVC code, name of the card holder, country, state, city, address, postal code, and in the case of some entries, e-mail ids and phone numbers.
Posted under the username AW cards, these card details were rather unconventionally made free for download. More often than not such critical banking information requires payment in cryptocurrency before it is shared by cyber gangs.
According to researchers at Group-IB, such tactic is especially unusual for a previously unknown market player, more so, as such a huge batch of compromised cards had not appeared on other underground forum.
Group-IB says that “the post was nothing but a very bold ad to scale up the user base of newly established card shop All World Cards, which joined the carding market in May 2021”.
The company believes that the “alleged owners of the card shop had launched a massive promo campaign in the underground to advertise their new platform, which, in addition to a huge database giveaway, included a writing contest for other cybercriminals with a cash prize of USD15,000”.
The posts by these cybercriminals on carding forums “crdclub” and “xss” termed the offer an “extraordinary act of generosity”.
The criminals edited the post on the August 3, increasing the valid parameter — the share of valid bank cards that cybercriminals can monetise — from 3% to 20% of the cards in the entire batch.