Not six months have passed since the last major India-related carding scoop, before another big haul was up for sale.

On Feb 5, a database containing over 460,000 payment card records uploaded to one of the most popular darknet cardshops. Over 98% of the records were from the biggest Indian banks. The source of this batch currently remains unknown

The underground market value of the database is estimated at more than US$4.2 million. Upon the discovery of this database, Singapore-based cybersecurity company Group-IB had immediately informed the Indian Computer Emergency Response Team (CERT-In) about the sale of the payment records, so they could take necessary steps.

This is the second major upload of payment records related to Indian cardholders registered by Group-IB in the past several months. The first one was reported by Group-IB last October.

The database was named “INDIA-BIG-MIX” (full name: [CC] INDIA-BIG-MIX (FRESH SNIFFED CVV) INDIA/EU/WORLD MIX, HIGH VALID 80-85%, uploaded 2020-02-05 (NON-REFUNDABLE BASE) and went on sale on the Joker’s Stash — one of the most popular underground cardshops. 

According to Group-IB Threat Intelligence team, the database, comprising 461,976 payment records, in particular, exposed card numbers, expiration dates, CVV/CVC codes and, in this case, some additional information such as cardholders’ full name, as well as their emails, phone numbers and addresses. 

All the cards from the database were being sold for US$9 apiece, with the total underground market value of all the batch standing at US$4,157,784. This is the only big sale of Indian cards’ CC data detected for the past 12 months, since in the previous India case, card dumps—the information contained in the card magnetic stripe—were put up for sale.

What distinguishes the new database from its predecessor is the fact that the cards were likely compromised online, this assumption is supported by the set of data offered for sale.

Comments Dmitry Shestakov, head of Group-IB’s сybercrime research unit: “This is the second major leak of cards related to Indian banks detected by Group-IB in the past several months. In the current case, we are dealing with so-called fullz—they have info on card number, expiration date, CVV/CVC, cardholder name as well as some extra personal info. Such types of data are likely to have been compromised online—with the use of phishing, malware, or JS-sniffers—while in the previous case, we dealt with card dumps (the information contained in the card magnetic stripe), which can be stolen through the compromise of offline POS terminals, for example.”

According to Group-IB’s Hi-Tech Crime Trends 2019/2020” report, presented at CyberCrimeCon’19 in Singapore last November, the size of the carding market had risen by 33%  and totaled US$879.7 million in H2 2018—H1 2019 year-on-year. The sale of CC data is also on rise today, having grown by 19% in the corresponding period.

One of the reasons behind the carding market expansion was the work of JS-sniffers, which enables operators to steal payment card data from e-commerce websites. This threat can hardly be underestimated: the APAC region has recently seen its first arrest of JS-sniffers’ operators, who stole payment card data with the help of GetBilling JS-sniffer family. The arrest came as a result of a joint operation of INTERPOL, Group-IB and Indonesian police.