Credit card fraud would seem to be a frequent, lucrative method of monetary gain for cybercriminals. While this was the case for many years, activities over more recent years have shown otherwise. The number show that cybercriminals were losing interest in selling and buying stolen credit card information. But lately, the global underground market for compromised cards seems to be on the upswing again, climbing steadily from the end of 2023 and continuing this year.
It's both surprising and sadly predictable -- a reminder that there's rarely a "done and over with" in cybersecurity battles.
See also: Cyber's Evolving Threat Landscape
Understanding the world of stolen credit cards
At Cybersixgill, we collect millions of pieces of data from the deep, dark and clear webs each day to better understand the actions of digital fraudsters who are continually seeking ways to enrich themselves, so we can help businesses protect themselves.
In 2019, more than 140 million compromised credit cards were listed for sale on underground markets. The number then plummeted each year, and by 2022, the total number of compromised cards dropped to 9.1 million. The price of cards dropped, as well.
In September 2022, we analyzed why the number of cards declined and attributed it to a fall in both supply and demand. On the supply side, it became more difficult and less attractive to compromise cards. For those on the demand side, security measures were making it harder to use a card in fraudulent ways. Our conclusion was that those who looked to profit from cybercrime pursued other methods, such as ransomware.
A change of course in late 2023
Through the first 10 months of 2023, average sales of compromised cards were about the same as in 2022. But beginning in November, sales shot up dramatically -- so much so that overall annual sales jumped 25% from 9.1 million in 2022 to more than 12 million in 2023.
These trends continued into January and February 2024, setting the number of compromised credit cards sold on pace to exceed 34 million this year, representing a major reversal after years of decline.
Seeing this data, we had to dig deeper and figure out what was going on.
What's the reason?
Our research shows that a particular dark web market -- one that had been dormant for a while -- recently re-opened. The re-emergence of this market has shifted the entire landscape of compromised credit cards; since mid-November 2023, it has listed more cards than any other market. In fact, it has accounted for about 65% of ALL compromised cards for sale and is solely responsible for the overall rise in cards.
See also: Cyber Insurance at Inflection Point
Why is this market bucking such a significant trend?
First, we posited that the universalization of EMV chips and better e-commerce site security made it more difficult to compromise cards compared with the heyday of Magecart attacks of 2018. (If you're not familiar, Magecart is a collective of cybercriminal groups that inject digital credit card skimmers on e-commerce and payment websites. These groups have been active since 2015 and gained momentum in 2018 with successful breaches of well-known brands such as British Airways and Ticketmaster.) It could be, however, that the operators of this renewed market discovered a new attack technique or carried out a major breach, enabling them to accrue a massive supply of cards.
Second, we considered that threat actors had far better opportunities to make money, specifically with ransomware and crypto-exchange hacking. However, things have changed over the last few years. With so much effort on the part of organizations and governments to fight ransomware, only the most sophisticated groups can carry out successful attacks. And crypto-exchange hacking appears to have declined significantly, as well.
Therefore, it could be that the operators of this market determined that carding was indeed their most lucrative and least risky option, and they reincarnated their old operation.
Now what?
It remains to be seen if recent activity in this fraudulent card market is an anomaly or if it represents a new trend. Will it be able to sustain the number of cards? Will other markets increase their supplies? Will new markets emerge?
Fortunately for consumers and issuers, the Payment Card Industry Data Security Standard (PCI DSS) is undergoing changes that promise to make credit card payments safer than they were previously. These broad changes, which represent the first major update since 2016, begin this month and go into full effect a year later.
Governmental action also plays an important role: Banks are under increasing regulatory pressure to minimize credit card fraud. Additionally, law enforcement may choose to pursue markets for stolen credit cards more aggressively, as they do with ransomware.
Consumers need to be wary of suspicious activity and check their accounts regularly to spot any charges they don't recognize. They should use a card with an EMV chip to prevent skimming attacks and be highly cautious so as not to fall for phishing email schemes.
In our increasingly interdependent digital world, cybercriminals are permanent residents, not temporary visitors. We need to acknowledge their presence and stay diligent.