$38M Worth of Gift Cards Sold by a Hacker
A Russian Hacker Has Sold 900,000 Gift Cards with an Estimated Value of $38 million, on an Underground Forum.
The hacker had not discloses how he got the load, but claimed that the database included 895,000 gift cards from 3,010 companies, like Airbnb, Amazon, American Airlines, Chipotle, Dunkin Donuts, Marriott, Nike, Subway, Target, and Walmart.
It seems that the database contained cards from thousands of brands and might have originated from an older breach that started at the now-defunct discount gift card shop Cardpool.
It’s common practice when selling data in bulk on hacker forums for the seller to set up an auction. This auction started at $10,000, with a buy-now option price of $20,000, therefore it did not take long for a buyer to pay for the entire load.
A threat intelligence firm, Gemini Advisory, says that usually, gift cards sell for 10% of their value, but in this situation, the asked price was significantly lower, around 0.05%.
This is raising some questions as giving them up for a very small fraction of their value is abnormal, and it could mean that the seller’s claim regarding $38 million could’ve been an overstatement made in order to get attention and find a buyer quickly, another reason for the small price could be the fact that the gift card validity rate was likely lower, with many of them being no longer active or having a low balance.
It looks like the seller might’ve been involved in the CardPool breach, as he offered to sell incomplete data from 330,000 debit cards in an auction that started at $5,000 and a buy-now price of $15,000, just a day after the auction regarding the gift cards.
In the information available could be found billing addresses, card numbers, expiration dates, and the issuing bank’s name, but the database did not contain the cardholder name or the CVV code required for card-not-present (CNP) transactions.
The researchers concluded that these payment cards came from the breach that took place at Cardpool.com between February 4, 2019, and August 4, 2019.
Attackers can acquire backend access to online shops through a variety of methods, including exploiting vulnerabilities in sites’ content management systems (CMS) and brute-forcing admin login credentials.
The hacker that is selling the two databases is a long-time member of the underground community, being active on the dark web forums since 2010, and previously offering large collections of stolen payment card data, databases, and personally identifiable information (PII) of U.S. residents.