Reporting on the exposure of some 26 million stolen credit cards leaked from a top underground cybercrime store highlighted some persistent and hard truths. Most notably, that the world’s largest financial institutions tend to have a much better idea of which merchants and bank cards have been breached than do the thousands of smaller banks and credit unions across the United States. Also, a great deal of cybercrime seems to be perpetrated by a relatively small number of people.

In September, an anonymous source sent KrebsOnSecurity a link to a nearly 10 gb set of files that included data for approximately 26 million credit and debit cards stolen from hundreds — if not thousands — of hacked online and brick-and-mortar businesses over the past four years.

The data was taken from BriansClub, an underground “carding” store that has (ab)used this author’s name, likeness and reputation in its advertising since 2015. The card accounts were stolen by hackers or “resellers” who make a living breaking into payment card systems online and in the real world. Those resellers then share the revenue from any cards sold through BriansClub.

KrebsOnSecurity shared a copy of the BriansClub card database with Gemini Advisory, a New York-based company that monitors BriansClub and dozens of other carding shops to learn when new cards are added.

Gemini estimates that the 26 million cards — 46 percent credit cards and 54 percent debit cards — represent almost one-third of the existing 87 million credit and debit card accounts currently for sale in the underground.

“While many of these cards were added in previous years, more than 21.6 million will not expire until after October 2019, offering cybercriminal buyers ample opportunity to cash out these records,” Gemini wrote in an analysis of the BriansClub data shared with this author.

Cards stolen from U.S. residents made up the bulk of the data set (~24 million of the 26+ million cards), and as a result these far more plentiful cards were priced much lower than cards from banks outside the U.S. Between 2016 and 2019, cards stolen from U.S.-based bank customers fetched between $12.76 and $16.80 apiece, while non-U.S. cards were priced between $17.04 and $35.70 during the same period.

Unfortunately for cybercrime investigators, the person who hacked BriansClub has not released (at least not to this author) any information about the BriansClub users, payments, vendors or resellers. [Side note: This hasn’t stopped an unscrupulous huckster from approaching several of my financial industry sources with unlikely offers of said data in exchange for bitcoin].

But the database does have records of which cards were sold and which resellers (identified only by a unique number) supplied those cards, Gemini found.

“While neither the vendor nor the buyer usernames appeared in this database, they were each assigned ID numbers,” Gemini wrote. “This allowed analysts to determine how prolific certain threat actors were on BriansClub and derive relevant metrics from this data.”

According to Gemini, there were 142 resellers and more than 50,000 buyers of the card data sold through BriansClub. These buyers purchased at least 9 million of the 27.2 million cards available.

One reseller in particular (ID: 174,829) offered just shy of 6 million records, posted for $106 million. Of those, almost 940,000 were sold, grossing over $16 million in profits shared between BriansClub and the reseller. In the quote below, a “base” refers to a distinct batch of freshly-stolen card data uploaded to BriansClub.

“For context, the collective price for the entirety of exposed BriansClub records was $566 million, while the total dollar amount of all sold records exceeded $162 million,” Gemini noted. “The top 20 buyers bought 5% of the entire set of records in this shop, while the top 100 buyers accounted for 11%. The shop had a total of 11,000 bases, with most vendors uploading multiple bases.”

All of the 26 million+ card records leaked from BriansClub were shared with multiple trusted sources that work directly with financial institutions to inform them when their customers’ cards go up for sale in the cybercrime underground.

Banks at this point basically have three options. Ignore the report and hope for the best. Cancel the card and reissue. Or monitor the card more closely and place tighter fraud controls on that account.

But here’s the thing: Not all banks got the data at the same time. The larger banks got it first and largely shrugged. At least according to anti-fraud sources at two large U.S.-based financial institutions: Their anti-fraud teams had already identified 90-95 percent of the cards as potentially compromised in one of hundreds of breaches since 2015, mostly those involving malware inside point-of-sale retail checkout systems.

The sources I spoke with at smaller financial institutions found out about the cards they’d issued to customers that wound up in the BriansClub data by receiving alerts last week from Visa and MasterCard. Most of those sources seemed genuinely surprised at the number of cards exposed, and two sources at different credit unions each estimated they were previously unaware of about 80 percent of the cards listed in the alerts from the credit card companies.

Also, smaller financial institutions are far more likely to eat the cost of re-issuing cards at risk of fraudulent use than are larger institutions, which typically have much a higher tolerance for financial losses from counterfeit card fraud. So far, however, there is no evidence this flood of card data intelligence is causing much of a stampede for re-issuing cards.

Visa maintains that smaller financial institutions receive the same alerts sent to larger banks about cards thought to be exposed in specific breaches. The alerts include cards specific to each bank, but smaller banks are often limited in the resources they have available to do much with the reported card data, aside from re-issuing the card.

Gemini CEO and co-founder Andrei Barysevich said so far the feedback from the banks has been all over the place.

“While the larger US banks told us that most of the cards have been previously flagged as compromised, the mid and small size financial institutions were caught completely off-guard,” he said. “As to the European and Asian banks, to them the data was mostly new, in some cases upwards of 60% of cards were still open and active.”

I thought perhaps the card associations could provide some meta-statistics on the BriansClub dump, but also those hopes were dashed. MasterCard did not respond to requests for comment. Visa declined to share any information related to the BriansClub database (even though they got it indirectly care of Yours Truly), but issued the following statement:

“As part of our core mission to ensure security across the payment system, we are very aware of carder forums and other criminal enterprises. Visa continuously invests in intelligence and technology to detect cyber threats and works with law enforcement, clients and other partners, to mitigate and disrupt such threats.

“Whenever we discover compromised account information, Visa uses its payment intelligence and investigative capabilities to determine the source. We also work with our financial institution clients to provide card issuers with the compromised account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, by reissuing cards. Incidents such as these reinforce the need for secure technologies such as chip and tokenization to devalue account information so that even if stolen, data cannot be leveraged for fraud.””

Gemini found that exactly two-thirds of the stolen cards (66.6 percent) siphoned from BriansClub were Visa-branded, and 23 percent MasterCard. A full 85% of the total records were EMV (chip) enabled, with the remaining 15% using only a magnetic stripe.

One final note: The Gemini report also challenges claims made by the administrator of BriansClub, namely that he removed the breached cards from his online store and that the data leak stemmed from a breach in February as his site’s data center.

“While the administrator of BriansClub, operating under the moniker ‘Brian Krebs,’ claimed that the breach took place in February 2019, this appears to be false,” Gemini observed in its report. “The number of records from South Korea corresponds to a previous spike in South Korean records that occurred from March 2019 through July 2019. If BriansClub were breached in February, the South Korean-issued cards would number under 10,000 rather than over 1 million.”

The report continues:

“This threat actor also claimed to have removed the compromised records from the shop. Gemini has found this claim to be false as well. Since BriansClub offers a ‘checker service’ for all purchased records to determine whether compromised payment cards are still open, it may be unnecessary to remove the cards. The shop likely assumes that even if the banks received the compromised card data from this breach, they are unlikely to close down and reissue every single card.”

Tags: Andrei Barysevich, BriansClub breach, Gemini Advisory, mastercard, Visa