Online Gift Card Shop Breached: 330k Payment Cards and $38m in Gift Cards Exposed
This blog post, initially published on the Gemini Advisory Blog, has been formally migrated to Recorded Future to ensure its continued exploration and insight.
Key Findings
- In February 2021, a cybercriminal actor sold 330,000 stolen payment cards and 895,000 stolen gift cards with an approximate total value of $38 million.
- Gemini determined the source of the stolen payment cards was a breach of the online discount gift card shop Cardpool.com.
- Gemini assesses with moderate confidence that the breach of Cardpool.com was also the source of the stolen gift cards.
- The breach of Cardpool.com provides valuable insight into both how cybercriminals value different types of stolen cards and also shows how cybercriminals use sites like Cardpool.com to monetize cards once they are stolen.
The Sales: $38m in Gift Cards and 330k Payment Cards
In early February 2021, Gemini analysts observed a reputable hacker on a top-tier Russian-language hacking forum offer to sell 895,000 stolen gift cards from 3,010 companies, with an approximate total value of $38 million. The actor claimed that the database contained over 3,000 brand-name gift cards and affected top companies across various industries, such as AirBnB, Amazon, American Airlines, Chipotle, Dunkin Donuts, Marriott, Nike, Subway, Target, and Walmart. The actor began the auction with a starting price of $10,000 and a buy-now price of $20,000. The gift cards were bought by another actor soon after the cards were posted for sale.
A day later, the same actor offered to sell 330,000 credit and debit cards (hereafter, payment cards) on the same forum. According to the actor, the data included victims’ billing address and partial payment card data, including payment card number, expiration date, and bank name, but did not include the CVV or cardholder name. The actor began the bidding for the database at $5,000 and issued a buy-now price of $15,000. The payment cards also sold within days of being offered for sale, though less quickly than the gift cards.
The Compromised Merchant: Cardpool.com
Through subsequent analysis, Gemini Advisory concluded that the 330,000 payment cards likely came from a breach of the online gift card shop Cardpool.com between February 4, 2019 and August 4, 2019. Before closing in early 2021, Cardpool.com operated as a gift card marketplace where individuals could sell unwanted gift cards to the shop and others could buy them. While active, the site averaged 300,000 monthly visitors, 85% of whom were located in the United States.
Image 1: It remains unclear whether the Cardpool closed because of the COVID-19 pandemic or the breach.
As the payment cards were stolen from a gift card store and both the payment cards and gift cards were sold by the same actor, Gemini assesses with moderate confidence that the gift cards offered for sale were also stolen during the breach of Cardpool.com.
Image 2: The main page of Cardpool.com on January 11, 2021 (archived snapshot from web.archive.org).
It should also be noted that Cardpool itself, and other sites like it, were often used by cybercriminals as a way to monetize stolen gift cards and payment cards. In the scheme, cybercriminals would use stolen payment cards to purchase gift cards and then sell the gift cards to Cardpool. If a bank were to determine that the gift card had been purchased with a stolen payment card, they could connect with the merchant bank or gift card vendors that issued the gift card and request they void the gift card. Unfortunately, this process can prove cumbersome and time-consuming, making it a rare occurrence and granting cybercriminals a wider time window to pull off their scheme.
More importantly, after selling the gift card on a marketplace like Cardpool, the cybercriminal would have already pocketed the profit from Cardpool.com, and the merchant that sold the gift card to the cybercriminal would be stuck paying the chargeback. Theoretically, Cardpool would then also need to pay back the customer who bought the now-voided gift card but, according to the BBB, the shop frequently refused to refund scammed customers.
The Breach: Backend Access Exposes Data
The Payment Card Industry Data Security Standard, which governs which types of customer data that online stores are allowed to store, stipulates that online stores cannot store CVV data. Importantly, the 330,000 cards offered for sale from this breach did not contain the CVV. While the cards also did not contain the cardholder name, merchants are allowed to store this data, which means Cardpool likely chose not to store them. The lack of CVV data indicates that the actor likely acquired the cards by gaining backend access to Cardpool.com, which would have enabled them to steal the gift card data and payment card data of previous shoppers directly from the site’s databases. Attackers can acquire backend access to online shops through a variety of methods, including exploiting vulnerabilities in sites’ content management systems (CMS) and brute-forcing admin login credentials.
Conversely, if the actor had acquired the card data by injecting a payment card skimmer onto the site, it is probable that the data would have also included the CVV and cardholder name. Actors typically inject payment card skimmers onto victim sites, a process known as Magecart attacks, by leveraging vulnerabilities in the CMS to insert malicious JavaScript into the site.
The Buyers: Gift Cards vs Payment Cards
Looking at the prices for the set of payment cards (330,000 with a buy-now price of $15,000) and the set of gift cards (895,000 with an approximate total value of $38 million and a buy-now price $20,000), the major thing that stands out is that both sets of cards were offered at prices far below the typical price for payment and gift cards.
With gift cards, cybercriminals basically have two options for monetization: purchase goods and resell them or, as mentioned earlier, sell the cards to a third-party gift card marketplace like Cardpool. The big advantage for cybercriminals is that there are far fewer identity verification checks with gift cards; they can simply enter the gift card code online and complete the purchase, or walk into a store and swipe the gift card.
Typically, compromised gift cards sell for 10% of the card value in the dark web; however, the 895,000 cards offered from the breach were priced at roughly 0.05% of the card value. First off, it’s entirely possible that the actor exaggerated the total value of the gift cards to drum up sales, but the main factor dampening their price was the low validity rate, which refers to if the cards are active and can be used for nefarious purposes. Even though there were nearly one million cards, the price included the assumption that a significant portion would be invalid or have a low balance (possibly because even the actor themself used some of the cards before selling them).
With payment cards, cybercriminals can monetize them through a variety of schemes, such as simply purchasing goods and then reselling on online marketplaces like Amazon, or performing more sophisticated scams, such as Travel Services Fraud. In the case of the cards exposed from the Cardpool breach, the cards had a sharply discounted per unit cost of roughly $0.05. The discounted price was driven by two factors: the lack of CVV data and the cardholder’s name, and the fact that the breach occurred in 2019.
Logically, the more information about a victim that a payment card record includes, the more they will pay. For example, an exposed Card Not Present card—a card that was compromised from a transaction that was not conducted in person—has a median price of $12 in the dark web if it includes the CVV. Conversely, if the card does not include the CVV, like the cards from Cardpool, then the median price drops to $6. The reason for this simple: very few vendors will process a transaction without the correct CVV data. However, the 330,000 cards were sold far below this because cybercriminals overwhelmingly want compromised cards that are “fresh” (i.e., recently stolen) as they are more likely to work. Ultimately, by cybercriminal standards, the payment cards stolen from Cardpool in 2019 were already decidedly stale and the price reflected that.
The Seller: Prolific Russian-Speaking Hacker
The cybercriminal actor selling the gift cards and payment cards is a prolific Russian-speaking hacker who has posted similar offerings in the past. Further analysis revealed that the actor has been active on top-tier and mid-tier dark web forums since 2010. The actor’s previous offerings have included large-scale sales of stolen payment card data, compromised databases, and the personally identifiable information (PII) of United States residents.
Conclusion
The case of Cardpool.com offers a valuable glimpse into the ecosystem of carding. First, the site was a victim of a breach that resulted in the exposure of 330,000 payment cards as well as likely being the source of $38 million worth of exposed gift cards. Secondly, the subsequent sale of the cards in the dark web provides insight into how cybercriminals value different types of cards and the specific sorts of data that fetch a higher price on criminal forums and marketplaces. Thirdly, the site was also a tool that cybercriminals leveraged to monetize stolen cards, regardless of whether they compromised the cards themselves or purchased them on dark web marketplaces. This third insight, in particular, casts light on the important fact that for most cybercriminals, the trick is not in acquiring stolen cards but in devising the most efficient way to cash out the funds on the cards before financial institutions can flag them as compromised.
Related