Compromised Point-of-Sale Data Remains a Staple Among Fraudsters

By Kathleen Weinberger and Roman Sannikov

Below is a featured blog post from associate member Flashpoint. This comes as a follow-up to the webinar they presented recently to the RH-ISAC membership. We thank them for their expertise and willingness to share and support the RH-ISAC’s community of retail cybersecurity practitioners. 


Fraud is a persistent problem for brick-and-mortar and e-commerce retailers alike. Retailers’ intelligence teams often focus their attention on loss prevention to combat direct forms of fraud, such as the use of fake receipts, but this is not the only way fraud can threaten retailers. Indeed, intelligence teams must also be cognizant of cybercriminals targeting their point-of-sale (PoS) systems to obtain credit card data, typically with the intention of selling it on illicit card shops on the Deep & Dark Web (DDW).

Underground card shops endure because they are the epitome of a centralized criminal economy targeting retailers. As with other DDW marketplaces, many prominent card shops bear striking structural similarities to legitimate organizations, complete with established infrastructure, a team accountable for the product, and a vested interest in fostering a strong reputation with clients.

Despite significant gains made by law enforcement and private-sector research communities, card shops figure to remain a primary means of obtaining stolen payment card data in the form of dumps or cards, often obtained from compromised retailers.

Dumps consist of payment card data stolen from the magnetic stripe of a payment card through the use of skimmers; these are used for cloning physical cards and for in-store fraud. Cards, meanwhile, are packages of card numbers and other information necessary for card-not-present fraud. Some sellers will also offer what are known as “fullz,” which are complete sets of personally identifiable information (PII) for an individual. Fullz may include a victim’s Social Security number, date of birth, and other information considered useful for carrying out identity theft.

Flashpoint analysts believe fraudsters will patronize underground card shops to avoid the risks associated with obtaining the data themselves. Stealing credit card numbers and other PII from retailers typically involves the installation of a skimmer on a physical card reader or the use of point-of-sale malware. In addition to being a high-risk endeavor, this crime requires specialized skills and the up-front cost of obtaining the necessary malware and hardware. By eliminating the need to obtain this data directly from retailers, the presence of these underground shops has lowered barriers to entry for making fraudulent purchases using stolen card information.

Many card shops have slick user interfaces that allow customers to load funds from a cryptocurrency wallet and check the validity of a dump using an online tool provided by the shop. Some higher tier shops even offer refunds within an allotted time period, say 30 minutes following the purchase, for example, if a payment card number is not valid. Prices of dumps and cards may vary according to the region from where the numbers originate and how recently they were obtained.

The level of service offered by a card shop may vary depending on its tier and reputation within the cybercriminal underground. Tiers definitely matter to buyers, especially when dealing with shops of lesser reputations, known as “junk” and “mid-tier” shops where payment card data may be drawn from the same sources that other similar lower-tier shops draw from. The data is likely to be old and potentially unusable, and there may be less opportunity for a refund.

When it comes to top-tier card shops, the expectation is that the cards and dumps are fresh because many of these shops have private sources of stolen cards. Top-tier shops also shy away from reselling cards that have been sold already, whereas those at the junk tier may not resell on the same shop, but may instead try to sell cards or dumps which have already been used by fraudsters or have already been sold at another shop. Typical buys, meanwhile, depend on the individual; gangs in carding operations may buy in bulk whereas individuals cloning cards on their own may buy lesser amounts.

DDW forums also have their place in this ecosystem of buying and selling stolen card data, whether it be where shops are advertised or new breaches are marketed. Operators can interact with buyers and can in some cases share invitation codes to closed shops providing private access to a new customer.

Shop operators also use forums to discuss infrastructure changes, such as when a shop opens a new domain of operation. Scammers frequently attempt to set up fake shops with similar URLs in order to phish other threat actors, tricking them into entering their login credentials in order to take over their accounts on the official website.

Card shops selling data stolen from retailers remain a viable part of the underground economy, in spite of the emergence of other potential revenue streams introduced through the availability of hundreds of millions of stolen credentials, or the spread of cryptocurrency miners, and ransomware, just to name a few.

Efforts from retailers and financial institutions to implement enhanced security measures to combat fraud have cut into the viability of a stolen card, meaning those that survive likely have an enhanced value to buyers and sellers. All of this is continuing to breathe life into card shops as a primary means of this type of business on the underground.

For more information on Flashpoint, please contact [email protected].





More Recent Blog Posts