Researchers have found over 23 million stolen credit and debit cards up for sale on the dark web, with US consumers by far the biggest hit.
Nearly two out of every three stolen cards on the sites trawled by Sixgill were issued in the US, amounting to more than 15 million. The next biggest hit country was the UK, which accounted for over 7%.
Tellingly, just 316 stolen cards out of the total 23 million were Russian issued. This isn’t just because many hackers are of Russian origin, but also because of the relatively low GDP of the country, making its citizens less attractive targets, the report claimed.
Although the figures are small in comparison to the five billion cards issued globally by Visa, Mastercard and American Express, fraud on these is estimated to cost US businesses and consumers around $12bn by 2020, according to separate predictions from The Nilson Report.
Threat actors are increasingly moving away from traditional dark web marketplaces to Instant Relay Chat (IRC) channels and encrypted Telegram chats, making it harder for researchers to monitor them, according to Sixgill.
“Fraudsters have a number of illicit methods they use to steal card data. They place ‘skimmers’ over the card readers on gas pumps and ATM machines. Retail workers and restaurant employees use devices to copy the swipes when they take a card for payment,” the firm continued in a blog post.
“They infect computers and other devices with malware to record payment information when their owners buy from e-commerce sites. Hackers infiltrate the networks of large companies and simply steal millions of records at a time.”
Credit card information sells for as little as $5 and comes in two main types: one including all the card details plus CVV for fraudsters to use easily online, and dumps containing magstripe data which enable cyber-criminals to create counterfeit cards.
The former is more popular as it’s easier to commit fraud online, said Sixgill. Dumps of magstripe data will likely get less popular as more retailers and consumers adopt EMV in the US.