Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Fresh Target Breach Cards Hitting Black Market

A Bitcoin-powered marketplace is selling stolen card data in small batches, offering card validity guarantees, an RSA presentation reveals.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

Since Target discovered that its point-of-sale systems were breached and 40 million credit cards stolen, how usable has the stolen card data been for criminals?

In fact, nearly two-thirds of the stolen card data being sold by Target's attackers remains valid, Dan Ingevaldson, CTO of Easy Solutions, said Thursday in a presentation at this week's RSA Conference in San Francisco. "When the first batch of Target cards hit, it was about 90% valid," Ingevaldson said in an interview at the conference. "Now they're about 60% valid, so it's just tapering off."

So far, only a fraction of the 40 million cards stolen from Target's point-of-sale systems have hit the black market. Furthermore, at the current rate of distribution, attackers will be continuing to drip feed the data on to carder forums for many more months. "The Target breach is going to be happening for at least the next year, until the cards age out," Ingevaldson said.

The implications for consumers are clear. Anyone whose card data was stolen by Target's attackers may not see related fraud hit their card until later this year -- or even next year -- when their card data finally gets offered for sale. The reason for that delay, Ingevaldson said, comes down to supply and demand: Attackers want to maximize their haul from the Target breach. "The market isn't big enough to absorb 40 million cards" all at once.

[The Target data breach started with an email attack on retailer's HVAC subcontractor. Read Target Breach: Phishing Attack Implicated.]

That release strategy is also tailored to selling card data repeatedly to a relatively small audience, which wouldn't have enough cash to hand to buy -- or put to use -- all the stolen card data outright, Aviv Raff, CTO of Seculert, said in an interview at the conference. "They want to monetize their stolen data. They could have just dumped it and gotten some money, but they want to get more."

Why are the stolen credit card numbers still valid at all? Because many issuers have chosen not to invalidate stolen numbers and issue new cards -- which costs either them or Target money. They are taking a wait-and-see approach and hope that their internal fraud controls spot related abuse.

How effective is that approach? "Good luck with that," said Raff, who formed the fraud action research lab at RSA before cofounding Seculert. In other words, those who shopped at Target during the period when attackers hacked into the company's network -- from Nov. 27 until Dec. 18 of last year -- may want to call their credit or debit card issuer and demand a new card, if they haven't already received one.

In his RSA presentation, Ingevaldson also demonstrated how Target's attackers -- or anyone else selling stolen card data -- maintain buyer interest, even as the data grows less valid and thus usable over time. Interestingly, some sites selling card data offer money-back guarantees for any numbers that don't work. Ingevaldson browsed a carder site called Valid Shop, which functions like an Amazon.com for black market data buyers, allowing them to purchase card data using bitcoins.

Valid Shop, which is offering Target card data, offers a number of otherwise de rigueur e-commerce features: one-click buying, easy checkout, robust customer service, and the aforementioned money-back guarantee. The site also allows users to buy either individual card numbers or bigger batches, and it calculates their validity rate, typically by using a valid merchant card that's been stolen by hackers. "That validity level is really the core metric for the price of the card -- in addition to limits and gold cards and platinum cards and stuff like that," Ingevaldson said.

Upon checkout and payment, the site adds a further twist: It tests all the numbers to see if they're valid. Some boards will immediately replace bad numbers with good ones or issue the buyer a refund -- in bitcoins, in the case of Valid Shop. "So it's a good customer service angle."

What will likely happen now that Easy Solutions has publicized Valid Shop? The forum may continue unchanged, since it does restrict access to vetted members. "We had to talk with these guys on ICQ, build up a persona, and do a few transactions with them to get known and vetted," Ingevaldson said. The site is hidden behind registration walls.

Or Valid Shop's administrators may just set up a new shop under a different name, as recently happened when the journalist Brian Krebs publicized a similar outfit. "When Krebs exposed a forum, it was shut down the next day and came up [under a new name] the day after that," Ingevaldson said.

Engage with Oracle president Mark Hurd, NFL CIO Michelle McKenna-Doyle, General Motors CIO Randy Mott, Box founder Aaron Levie, UPMC CIO Dan Drawbaugh, GE Power CIO Jim Fowler, and other leaders of the Digital Business movement at the InformationWeek Conference and Elite 100 Awards Ceremony, to be held in conjunction with Interop in Las Vegas, March 31 to April 1, 2014. See the full agenda here.

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Apprentice
3/2/2014 | 9:32:37 AM
Re: Not Only Credit Cards
The Microsoft scam support call is amusing to think about, someone actually thinks that by making such calls and investing time and money consumers are going to fall prey to the scam. The scary bit is that they are still operational, which means that they are people falling for the scam -- generating revenue. Otherwise they would not be attempting such a scam. The idea that a company will provide a high level of customer support is appealing to customers, but from the article we can see that when support and protection requires investment then firms choose the wait-and-see approach (risk management).
User Rank: Ninja
3/1/2014 | 7:10:12 PM
Target Breach: the gift that keeps giving
The really galling thing about this latest breach is that this kind of theft can be nixed if the credit card industry (and those biz that accept plastic) would simply upgrade its current PCI DSS to the same standard Europe uses. 
User Rank: Apprentice
3/1/2014 | 1:57:03 PM
Re: Not Only Credit Cards

This is scary. The level of "service" that Valid Shop is offering is a bit disturbing. I guess that even illegal marketplaces need to serve their customers well, or else people will not pay them. 

This is another unfortunate example of people using bitcoin for nefarious purposes. Bitcoin has many positive aspects, but its pseudononymous nature is causing it to be used as a tool for criminality. 

User Rank: Apprentice
2/28/2014 | 6:47:04 PM
Re: Bottom line advice?
Yes. If I'd shopped at Target during the breach window -- which I didn't -- and used a credit/debit card, I'd call the card issuer and demand a new card number. Failing that, I'd threaten to cancel the account, or change banks.

However long that new-card process takes, it's a good bet it will equal a lot less time than dealing with the mess caused by any resulting ID theft.
Jim Donahue
Jim Donahue,
User Rank: Apprentice
2/28/2014 | 2:31:14 PM
I got my first direct communication from Target about this situation only this week! That is remarkably bad.

Given I used only my Target card at the store during the affected time frame--not a general credit card--I can pretty easly keep tabs on how the card is being used, so I'm not terribly concerned. But I am surprised Target hasn't canceled its cards and issued new ones.
User Rank: Apprentice
2/28/2014 | 2:29:33 PM
Bottom line advice?
So the bottom line, Mat, is if you shopped at Target during the timeframe in question, you should insist now on a new card?
User Rank: Moderator
2/28/2014 | 1:04:31 PM
Not Only Credit Cards
In the past week, I received a call about my "Microsoft Windows software" and another from "XYZ Bank's collection agency." Both, of course, were scams. I laughed at the first guy but was a bit concerned for a couple of minutes by the voicemail from the second until commonsense kicked in.
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
PUBLISHED: 2021-01-22
M&amp;M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.