Image: Group-IB [supplied]

In what security researchers have dubbed one of the biggest card dumps in recent years, more than 1.3 million payment card details have been put up for sale on Joker's Stash, the internet's largest carding shop, ZDNet has learned.

The new upload contains data primarily from Indian cardholders, security researchers at Group-IB told ZDNet, after spotting the new upload just hours before.

Also: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened (cover story PDF) TechRepublic

Group-IB said the cards are being sold at a top-tier price of $100 per card, putting the hackers on a trajectory of making more than $130 million from their latest haul.

Source of the cards unknown

Because the advert for the latest cards was published only hours ago, Group-IB said they hadn't had the time to analyze and look into the source of a possible breach.

Early data analysis suggests the card details may have been obtained via skimming devices, installed either on ATMs or PoS systems.

This is because the card dump includes Track 2 data, usually found on a payment card's magnetic stripe. The presence of this kind of data automatically rules out skimmers installed on websites (Magecart attacks), where Track 1 and Track 2 is never used.

Furthermore, the cards varied wildly in terms of issuing bank, coming from multiple banks, and not just one -- ruling out a compromise of one single bank's ATM system.

"For the moment, Group-IB's Threat Intelligence team has analyzed more than 550K card dumps from the database," Group-IB wrote in a report shared exclusively with ZDNet, and which the company plans to publish tomorrow.

"More than 98% belong to Indian banks, 1% - to Colombian, and more than 18% of the 550K cards that have been analyzed so far belong to a single Indian bank," the company added.

In an email, Group-IB told ZDNet that what stood out about today's card dump was its sheer size, with most similar card dumps being much smaller, and usually including card details from all over the world, and not just one. For example, the image below is an ad for a typical Joker's Stash card dump, comprised of data from multiple countries, rather than just one.

Joker's Stash is what security researchers call a "card shop," a term used to describe an online marketplace where criminal groups sell and buy payment card details -- advertised as "card dumps."

Joker's Stash is one of the oldest card shops around, is available on the dark web, and is also known to be the place where major cyber-crime groups like FIN6 and FIN7 both sell card dumps.

Criminals who buy card dumps from Joker's Stash typically use the data to clone legitimate cards and withdraw money from ATMs in so-called "cash outs."

Today's Indian card dump is the third major card dump this year, in terms of size.

In February, card details for 2.15 million Americans were similarly put up for sale on Joker's Stash as part of a card dump nicknamed the "DaVinci Breach."

In August, nearly 5.3 million card details obtained from Hy-Vee customers were also dumped on Joker's Stash.

Two smaller card dumps, of 890,000 and 230,000, were also reported in July and June, both belonging to South Korean users.

However, all the card dumps listed above were released in small batches, over time. This one was published in one go, suggesting the threat actors may want to monetize as many as possible before banks intervene to deploy countermeasures or invalidate cards.