A database containing roughly 1.3 million credit and debit card numbers belonging primarily to Indian bank customers was uploaded this week to Joker’s Stash, an online market specializing in stolen personal data, according to new findings by security researchers.
Group-IB, in a statement e-mailed Tuesday to CyberScoop, said the database was uploaded Oct. 28, and is worth more than $130 million, the equivalent value of roughly one dollar per record. Ninety-eight percent of the files belong to Indian banks, while 1% originate with a Colombian entity. Group-IB did not name any of the banks affected, victims included in the database or speculate on who may have uploaded the information.
This addition of credit card information came just days after researchers determined that Joker’s Stash is growing. Over its four-year lifespan, the illicit card shop has become a dumping ground for financial information stolen from organizations like Hy-Vee, Sonic Drive-In and others. Now, it’s also a place where scammers also are selling Social Security numbers belonging to high-profile victims, including members of the Trump administration, according to Recorded Future research released last week.
Group-IB’s findings provide the latest proof that Joker’s Stash has emerged as a leading marketplace for identity thieves.
It’s hardly the first time digital thieves have tried to make a buck with Indian cardholders’ data. Underground forums listed 3.2 million records of stolen Indian card data last year, a 219% uptick from 2017, the threat intelligence firm Gemini Advisory previously told CyberScoop. That number was enough to put India in third place among all countries in the world when it comes to the number of records for sale on the dark web, following the U.S. and U.K.
Many financial breaches go unreported in India, resulting in banks being slow to stop stolen cards from being used for fraud, Gemini researchers said. As a result, the Reserve Bank of India has required banks to release ATM cards that rely on EMV chips, which provide more security in transactions where a buyer is physically present. The measure is less useful for securing online transactions.