Security researchers from Gemini Advisory, a cyber threat intelligence firm, disclosed a huge sale campaign for credit/debit cards in hacker forums belonging to South Korean cardholders. The first batch of stolen card credentials was numbered to 890,000, while the second batch reached 230,000 units, all in all, the number of cards “for sale” in the dark web went over one million by May 29, 2019. Initial investigations revealed that the credit card details came from infected POS (Point-of-Sales) terminals, card skimming at ATMs and actual product of a merchant data breach.
Contrary to popular belief, South Korea is a known haven for cyber crimes, as many locals have carefree high-level lifestyles, and often use debit/credit cards for their purchases. With the high demand for a convenient lifestyle, stolen cards in South Korea are easy to sell for cheap. This pushes black market prices for debit/credit cards higher in South Korea, as there are many people buying stolen purchase cards in order to fund their lifestyles.
“The median price per record from this spike is $40 USD, which is significantly higher than the median price of South Korean CP records across the dark web overall, which is approximately $24 USD. This sudden influx in card supply may be highly priced in an attempt to capitalize on the growing demand,” explained Stats Alforov, Gemini Advisory’s Director of Research and Development.
Christopher Thomas, security researcher for Gemini Advisory also emphasized that cybercriminals love to target the Asia-Pacific region, due to its less than stellar cyber crime readiness. South Korea, in particular, is a favorite target being one of the most “westernized” economies in the Asian region.“Since many of these financial institutions have less sophisticated antifraud systems than their Western counterparts, cybercriminals learned that the return on investment for APAC cards is much higher when compared to North American cards. Disturbingly enough, it appears that hackers have learned that South Korean payment infrastructure is especially vulnerable to attacks, which resulted in the massive data breach that is currently unfolding,” added Thomas.
Debit/credit card credential theft escalated as several businesses in South Korea are actually subsidiaries of other businesses that interfaces with vulnerable point-of-sale-terminals. That means company A, being wholly owned by company B, the POS of the latter may or may not have the customer information the former. It is a state-of-affairs for many South Korean businesses to maximize the utilization of their payment systems. “This would mean that a threat actor gained access to a single integrator service that interfaces with many merchants to enable them to use their individual POS devices. The threat actor would then have access to payment data from multiple sources, accounting for the lack of a common merchant among the compromised payment cards,” emphasized Alforov.
Debit/credit card credential theft can be mitigated with the use of EMV-based cards, which the South Korean government mandated banks to issue since 2015. However, since the mandatory deadline only took effect last July 2018 (1-year of implementation), this means there are still millions of South Korean card users who still had the old magnetic-stripe card prior to that date. Magnetic-stripe cards issued by banks prior to EMV technology was seen as one of the biggest weakest links with how cybercriminals were able to steal banking information. Magnetic-stripe card copiers are available for purchase in various online stores globally, and anyone with such device can copy the files from the card, creating a clone card that functions the same way.