Overview
On February 28th, 2023, BidenCash, a card shop, celebrated their first anniversary by uploading over two million stolen debit/credit cards onto the XSS dark web forum. The data dump consisted of the compromised card numbers and personal information of many of the cardholders. This article outlines the components of the data dump, the potential danger for the organizations and victims affected. Figure 1 shows the advertisement posted by the group.
Analysis
The researcher acquired the shared file and went over the data. It is estimated that 2.1 million cards consisting of debit, credit, and charge cards are present. The file is a CSV text document with each column divided by the ‘|’ symbol. Every row has the entire card number, expiration date, and CVV. Moreover, the column could include the bank information and the card owner’s details. The culprit can exploit this information to execute fraud and use it to execute ensuing assaults such as spear phishing, account takeover, or fraudulent application. Figure 2 shows the sample of the dumps file.
Below are the fields in the column.
| Field Type | Description |
| Card Number | The full debit/credit card number. |
| Expired Date | The expired date of the card. |
| CVV | The card verification value. |
| Name | Name of the credit/debit card owner. |
| Issuer | The bank who issues the credit/debit card. |
| Network | The network the card is processed with. |
| Type | The card brand. |
| Class | Debit or Credit |
|
Address,City, State,ZipCode, Country |
The address of the owner of the card. |
| Email address of the owner of the card. | |
| Phone number | Phone number of the card owner. |
Below are the fields in the column.
Our investigation reveals that the United States has the most number of cards in the dump. The list of the top 5 countries with the most cards is given below.
| Country | Total |
| United States | 965,846 |
| Mexico | 97,665 |
| China | 97,003 |
| United Kingdom | 86,312 |
| Canada | 36,906 |
More than 75% of the cards expired this year (2023). Below are the top 10 of the expired year.
More than half of the cards are debit cards. Figure 3 shows the overview of the card type.
Approximately 1 million cards have a registered owner address, while 600 thousand contain both an address and phone number. The table below provides a breakdown of the top ten email providers.
Risks & Mitigation
After the data dump has become freely available on the underground forum, fraudsters may gain access to it and use it to their advantage. The immediate risk is that these individuals can utilize the stolen credit card information to commit fraud, such as making unauthorized purchases on online platforms. However, the longer-term and more significant risk is posed to the one million victims whose information is listed in the dump. Since fraudsters know where their bank, they can exploit this information to perform social engineering attacks and take over their accounts, potentially causing significant financial harm to these individuals. Below are some of the risks.
| Risk level | Type | Description | Urgency | Mitigation |
| 8 | Fraud | Fraudsters use the card’s information to make unauthorized purchases online or create a counterfeit copy of the card. | Immediate | Deactivate the compromised card and issue a new card to the victim. |
| 10 | Phishing | Fraudsters may attempt spear phishing attacks to gain access to sensitive information. | Long term | Monitor for any signs of account takeover and consider implementing two-factor authentication (2FA) for added security. |
| 7 | SMS OTP | Once the criminal has obtained the victim’s credentials, they may use the victim’s phone number to manipulate them into providing the one-time password (OTP) for account takeover. | Long term | Remain vigilant for any signs of account takeover. |
| 5 | Fraud Application | The fraudster is able to use the victim’s name and address to potentially apply for membership of a financial institution or loans. The risk is medium due to the additional PII needed. | Long term | Monitor for any fraudulent applications and verify the accuracy of the provided personally identifiable information (PII) to help prevent such attacks. |
Summary
The source of the content released by BidenCash remains unknown. It is unclear whether they obtained the data through phishing campaigns, hacked databases, or malware stealers. The release of this information has a significant impact on the affected users, not just the financial institutions. In the short term, it is crucial to protect the impacted users by disabling their cards to reduce the risk of fraudulent activity. However, the users whose cards are listed in the dump remain vulnerable to long-term attacks, ranging from spear-phishing to social engineering. To ensure no future loss, extra measures are required. Given that the BidenCash group was willing to release 2.1 million cards for free, it raises the question of how many cards they may still have in their possession.
If you have any question or interest in the card with your brand, please do not hesitate to contact us at contact@darkarmor.io. We are here to help and are committed to finding solutions to your cybersecurity challenges.
