There is no shortage of places within the Internet's dark market where stolen credit and debit card information is sold. Most of them, truth be told, are criminal chancers trading in recycled data from old breaches; bargains are to be held for fraudsters willing to take a gamble that some of the bundle of payment cards they have bought will actually be usable. Not only is it the biggest, but Joker's Stash, which was established in 2014, prides itself on traders selling the "freshest" of payment card details, those that come directly from a breach rather than being recycled. As a result, this compromised card data does not come cheap and is pitched firmly in the top tier as far as pricing is concerned.
Joker's Stash advertisement for the sale of 'BlazingSun' group of stolen cards (Source: Gemini Advisory)
The Joker's Stash darknet marketplace has posted a fresh collection of 3 million credit cards that are likely related to a breach of the Dickey's Barbecue Pit chain of franchised restaurants, according to Gemini Advisory. The new collection, called "BlazingSun," was posted on 19 October 2020 on the Joker's Stash carding site, and Gemini Advisory says it confirmed the authenticity of the data before publishing its report.
The darknet marketplace had been advertising in recent weeks that the data from the Dickey's Barbecue Pit breach would be posted soon. The data is from both track 1 and track 2 or cards, which can include the cardholder name, account number, expiration date and bank identification number. It apparently comes from cards used at restaurants in 30 states as well as some international locations, according to the report. The data appears to have been stolen between July 2019 and August 2020. Joker's Stash is now selling the information for a median price of $17 per card.
A spokesperson for Dickey's Barbecue Pit stated that the company is aware of the report that card data is for sale and has contacted third-party security firms as well as the FBI to investigate. "We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway. We are currently focused on determining the locations affected and time frames involved," the spokesperson says.
In January 2020, Joker's Stash posted for sale 30 million payment cards related to a breach at the Wawa convenience store chain. The marketplace advertised this [Wawa] breach as containing 30 million records, and as of this writing, it continues to add compromised cards. Since the breach first appeared in January 2020 and continues to add records 10 months later, the BlazingSun [Dickey's card listing] may follow a similar timeline of several months.
The source of the breach data from Dickey's Barbecue Pit restaurants is not known. Dickey's operates on a franchise model, which often allows each location to dictate the type of point-of-sale device and processors that they utilize. Given the widespread nature of the breach, the exposure may be linked to a breach of the single central processor, which was leveraged by over a quarter of all Dickey's locations.
Dickey's Barbecue Pit oversees 469 restaurant franchise restaurants across 42 states. The Gemini Advisory report estimates that 156 of these locations in 30 states appear to have been compromised, with the highest exposure in California and Arizona. Dickey's Barbecue Pit sustained a ransomware attack in 2015, and the company ended up paying a $6,000 ransom. In 2018, the then-CEO wrote a blog post promising to update and improve the company's security practices.
Over the last several months, Joker's Stash also has advertised a collection of nearly 400,000 payment cards issued by banks in the US and South Korea for approximately $5 each, according to the security firm Group-IB.
Red Sky Alliance has been analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.
The installation, updating, and monitoring of firewalls, cybersecurity, and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence REDSHORT Briefings:
Created for security managers, by security professionals, focused on sharing information for the good of the infosec community.
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941