A spike in payment-card fraud in Pakistan over the past six months now appears to involve a possible breach of at least one bank’s internal systems, according to researchers with New York-based threat intelligence company Gemini Advisory.
Previous reports — including research by Moscow-based cybersecurity company Group-IB — had noted two major dumps of Pakistani payment-card data on the dark web market Joker’s Stash in October and November, as well as further sales in January of this year. Gemini Advisory says it now appears that the card-information dumps point to a more aggressive level of hacking beyond point-of-sale attacks.
“While fraudsters generally acquire card and PIN data with card skimmers and cameras or overlays, the January 24 and January 30, 2019 breach included such data in large quantities pertaining to a single bank – Meezan Bank Ltd.,” Gemini Advisory says. “Gemini analysts therefore assess with moderate confidence that the compromised records posted between January 24 and January 30, 2019 are associated with a compromise of Meezan Bank Ltd’s internal systems.”
The researchers did not theorize about how or where a breach of Meezan’s internal systems might have occurred. Karachi-based Meezan bills itself as the “first and largest” Islamic commercial bank of Pakistan.
Gemini Advisory’s assertion is based on connecting a few dots: Given the nature of the previous dark web sales of Pakistani accounts — which included multiple banks in each database — the researchers concluded that something else might be going on.
“If the threat actors had installed skimmers at Meezan Bank ATMs to intercept card data, they would have likely captured some records from other banks as well; since the records exclusively belonged to Meezan Bank, this further supports the likelihood of a Meezan Bank system breach,” Gemini Advisory said.
Despite banks’ ongoing efforts to eliminate payment-card fraud, criminals still find ways around security measures to acquire card data at the point of sale. The data allows crooks to makes clones of the compromised cards — otherwise known as “white plastic” — which then gives them several avenues for extracting value from them. Money mules use the fake cards, to either withdraw money from ATMs or buy goods” that are later resold by fraudsters, Group-IB says in a Feb. 22 advisory.
Cloned cards also can be combined with dummy companies with bank accounts and POS terminals, Group-IB says.
“Fraudsters use ‘white plastic’ to buy nonexistent goods, and funds from compromised cards get transferred to bank accounts linked to dummy companies, then cybercriminals withdraw money via ATM using a bank card which is linked to a dummy company,” Group-IB says. “This method is quickly detected by antifraud systems and involves high risks. However, emerging markets banks frequently do not have adequate anti-fraud controls, making this attack type viable.”