Cybercriminals have reaped a healthy profit by buying and selling on the dark web financial information that belongs to cardholders in India, according to new research.
Underground forums contained 3.2 million records of stolen Indian card data last year, a 219 percent uptick from 2017, Gemini Advisory, a dark-web intelligence company, said Thursday. India now ranks third internationally when it comes to the number of stolen records for sale on the dark web, following the U.S. and U.K.
“Criminals continuously search for payment cards from specific banks that provide the highest return on investment, and largely spend money only when confident that they stand to make a profit,” researchers said in a report.
In the world’s second-most-populous country, fraudsters target online vendors that have weak cyberdefenses and offer access to a trove of card data. Many payment breaches go unreported in India, meaning banks are slow to stop cards from being used for fraudulent purposes, said Stas Alforov, Gemini Advisory’s director of research and development.
“Such a closed ecosystem presents plenty of opportunities for Indian cybercriminals seeking to defraud local banking customers,” Alforov told CyberScoop in an email.
The firm analyzed roughly 60 underground markets for payment card information. All of them sold data belonging to Indian cardholders, and half of that data had been purchased, according Alforov.
The median price of the stolen card data in India jumped from roughly $7 in 2017 to $17 last year, Gemini Advisory found.
“The rising cost of Indian compromised payment cards and the demand for such cards suggests that criminals have identified multiple reliable ways of monetizing such data,” Alforov said.
Many of those affected by the fraud were in Indian metropolises like Hyderabad, Chennai, and Mumbai, according to the study. But financial cybercrime has also hit obscure towns like Jamtara in the country’s northeast which, according to The Hindu newspaper, has “emerged as one of the biggest hubs of cybercrime” in India.
Jobless youth have a knack for first stealing SIM cards and then using social-engineering to dupe people into revealing their ATM card numbers, the paper reported.
The Reserve Bank of India has responded by requiring banks to issue ATM cards with EMV chips, which are more secure. That will make it a lot harder for fraudsters to exploit “card present” transactions – ones in which the user has physical access to the card, Gemini Advisory said. However, it was “card not present” transactions – when the user buys something online, for example – that accounted for more of the stolen card data in India last year.
More people in the U.S and U.K. have had their payment card data stolen and posted for sale, according to the research, despite India being far more populous than those countries.
One reason for that is that cybercriminals have had their sights on the U.S. and U.K. for years, whereas India is a relatively new target, according to Alforov. But that is changing: the company expects India to surpass the U.K. next year to rank second in this category.