623M Payment Cards Stolen from Cybercrime

According to Group-IB, a database containing stolen payment cards has been hit by hackers, who were able to lift the information off of the Swarmshop cyber-underground card market. The hackers leaked the information online, putting consumers in the US and across globe at risk for identity fraud, theft, and other attacks. The entity that stole the payment card details from Swarmshop appears to be engaged in a rivalry as the database was posted on an alternative underground forum. Card shops like Swarmshop advertise stolen payment card data.

The database involved in the leak contains 623,038 payment card records from Brazil, Canada, China, France, Mexico, Saudi Arabia, Singapore, the UK, and the US. Most of the victims are located in the United States, according to Group-IB. The database also contains sets of online banking credentials and 69,592 US Social Security numbers and Canadian Social Insurance numbers, which could be used to conduct sophisticated attacks such as phishing, social engineering, identity theft, and identity fraud. Other information exposed in the hack includes 12,344 sets of data pertaining to card shop admins, sellers, and buyers, including usernames, hashed passwords, contact details, sales activity, and current balances.

Hackers have been hacking other hackers for decades. What better way to gain access to new hacking tools, dumps, cards, personally identifiable information (PII) and other items of value than hacking the people that are stealing it in the first place,” said Tyler Shields, CMO at JupiterOne, said via email. “It comes as no surprise that there have been multiple successful breaches against Swarmshop. Cybercriminals have trouble with security just like everyone else. It just goes to show you that cybersecurity is a difficult problem no matter who you are.”

Hacking the Hackers

Swarmshop is a mid-size, Russian-speaking “neighborhood” store that has been operating since at least April 2019. According to Group-IB, the number of Swarmshop users is now 2.5 times larger than it was in January of 2020, with the volume of traded payment records increasing from 485,617 pieces to 623,036 last month.

In March, when it was hacked, the total amount deposited within buyer accounts was $18,145.73.

“Users of card shops do not store large amounts of money on their accounts and top up the balance to make payments if necessary,” explained the researchers, in a posting on Thursday. “The analysis showed that It’s fair to assume that card shop owners’ net profits have also grown exponentially.”

“While the source of the breach remains unclear, the exposed records show that two card shop users attempted to inject a malicious script searching for website vulnerabilities in the contact information field,” researchers said. “It’s impossible to determine if the two events are connected to the breach.”

Swarmshop has been targeted by fellow cybercriminals before: Back in January 2020, someone claimed to be selling the Swarmshop user database and posted a screenshot allegedly from the card shop’s admin panel. It’s unclear if the same perpetrators are at work in the latest incident.

Information about the Swarmshop hit

The Swarmshop payment cards shop is a Russian language, mid-sized hacker forum that has been around since April 2019, or earlier. The researchers point out that the size of this cybercriminal forum has increased by nearly 250% since the start of 2020. Only within the last month, the volume of illegally traded records on the site has gone from 485,617 to 623,036.

The collective amount of money contained within the accounts available on Swarmshop during March, the month when the forum got compromised, was $18,145.73

The researchers explain that the users of payment card forums such as Swarmshop rarely keep a lot of money in their profiles. It is highly likely that the actual profit of the shop owners is much greater than what it may seem from the currently available data.

Currently, it is unknown where the breach came from, but apparently two users of the forum have tried to attack the site with a malware script that was supposed to exploit any potential weaknesses in the contact details field. Whether those breaching attempts were successful and are the ones that led to the data leak, however, remains unclear.

In January last year, there was a similar attempt to breach the database of Swarmshop, when an unknown actor claimed that they were selling user info acquired from the hacker forum, accompanying their post with a screencap of the Swarmshop’s admin interface. It is not known whether the current breach was performed by the same actor/actors.

The research team of Group-IB suspects that the attack must have been a type of “revenge hack” intended to fully take out Swarmshop. Since all sellers on the hacking forum have lost all data they could potentially sell, it is highly unlikely that Swarmshop would recover from that hit.

This idea is supported by the Netenrich CISO, Chris Morales, who comments that whether a business is legal or not, it would still be faced with the same obstacles, including competition that tries to take it out. According to him, the goal of this hit is probably not only profit but also revenge or possibly even glory within the hacking community.