On 31 May 2021, a spokesperson for AllWorldCards published their first post on the cybercrime forum XSS announcing that they are open for business. Similar to the shops that have preceded them, AllWorldCards advertised shop links on deep web and Tor domains, a presence on cybercrime forums, and an accessible customer support email. Further, they have taken a cue from the major ransomware collectives, Lockbit and REvil, and sponsored an article competition on XSS dubbed “XSS Hot Summer.” The competition is looking for thought leadership from the best and brightest of the cybercrime underground.
Following the planned shutdown of Joker’s Stash in February 2021, formerly the largest card shop by volume and quality, many shops have been vying for the top spot. This includes established shops like Brian’s Club, Ferum, and Yale Lodge, and newer entrants like Trump’s Dumps. AllWorldCards is one of many shops tracked by Flashpoint. Like any online business, legitimate or otherwise, AllWorldCards is flexing the bargaining power of its suppliers through new offerings with freebies.
On 2 August 2021, the spokesperson of AllWorldCards announced the release of 1,000,000 credit cards for free-ninety-nine. The data contained in these records included full credit card numbers, expiration dates, CVVs, and in some cases other PII (Country, State, City, Address, Zip Code, Email, Phone). According to their spokesperson, only about 20% of the cards that were provided are valid. Many shops provide online checkers that enable prospective buyers to verify the validity of the card data. AllWorldCards uses the following 4check and GoldCheck to check validity. AllWorldCards further stated that the data is from pre-pandemic 2018-2019. The origin of the breach, however, is unknown.
AllWorld.Cards appears to be a relatively new player to the market for selling stolen credit-card data on the Dark Web, according to researchers. “Our analysis suggests that this market has been around since May 2021 and is available on a Tor channel as well,” according to the post. The black market for stolen credit cards is a massive illegal business, with cybercriminals getting their hands on card data in a number of ways. Point-of-sale card skimmers, targeted Magecart attacks on websites and info-stealing trojans are among their top tools for stealing credit-card data.
In the last six months of 2020 alone, threat actors offered more than 45 million compromised cards for sale in underground credit-card markets monitored by security firm Cybersixgill, the company said in a report. These cards are then used by cybercriminals to make online purchases, including buying gift cards that are hard to track back to them.
The curators of AllWorld.Cards began flogging their cybercriminal services on carding sites in early June, ostensibly to drum up new business, researchers from Italian firm D3 Lab noted in a separate blog post detailing the leak, published last Friday. “It is conceivable that the data was shared for free to entice other criminal actors to frequent their site…by purchasing additional stolen data from unsuspecting victims,” according to the post (machine-translated from Italian).
There is some uncertainty about how many of the cards are actually still active and available for cybercriminals to use. Cyble researchers noted that threat actors claimed that 27 percent, according to a random sampling of 98 cards, are still active and can be used for illegal purchasing. However, according to D3 Lab’s own analysis which involved sending the credit-card numbers to client banks “to carry out the appropriate mitigation actions” researchers found that closer to 50 percent of the cards are “still operational, not yet identified as compromised,” they said.
Analysts posted a list of the top 500 banks affected by the leak of stolen credit cards in descending order. Of the banks, 72,937 of the cards were associated the State Bank of India; 38,010 with Banco Santander (Brazil); 30480 with a U.S. bank based in Ohio called Sutton Bank; 27,441 with JP Morgan Chase Bank N.A.; and 24,307 with BBVA Bancomer S.A., a bank based in Mexico.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
• Website: https://www.wapacklabs.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
https://threatpost.com/1m-stolen-credit-cards-dark-web/168514/
Comments