AllWorldCards Releases 1,000,000 Cards
On May 31, 2021, a spokesperson for AllWorldCards published their first post on the cybercrime forum XSS announcing that they are open for business. Similar to the shops that have preceded them, AllWorldCards advertised shop links on deep web and Tor domains, a presence on cybercrime forums, and an accessible customer support email. Further, they have taken a cue from the major ransomware collectives, Lockbit and REvil, and sponsored an article competition on XSS dubbed “XSS Hot Summer.” The competition is looking for thought leadership from the best and brightest of the cybercrime underground.
Following the planned shutdown of Joker’s Stash in February 2021, formerly the largest card shop by volume and quality, many shops have been vying for the top spot. This includes established shops like Brian’s Club, Ferum, and Yale Lodge, and newer entrants like Trump’s Dumps. AllWorldCards is one of many shops tracked by Flashpoint. Like any online business, legitimate or otherwise, AllWorldCards is flexing the bargaining power of its suppliers through new offerings … notably freebies.
On August 2, 2021, the spokesperson of AllWorldCards announced the release of 1,000,000 credit cards for free. The data contained in these records included full credit card numbers, expiration dates, CVVs, and in some cases other PII (Country, State, City, Address, Zip Code, Email, Phone). According to their spokesperson, only about 20% of the cards that were provided are valid. Many shops provide online checkers that enable prospective buyers to verify the validity of the card data. AllWorldCards uses the following 4check and GoldCheck to check validity. AllWorldCards further stated that the data is from pre-pandemic 2018-2019. The origin of the breach, however, is unknown.
Catch and Release?
Card shops typically announce new offerings of credit cards stolen through physical transactions at point-of-sale terminals, and skimmed through compromised e-Commerce shops. The card data differs in the information that is collected, and how that stolen data is monetized. Typically physical card data is encoded onto blank credit cards and used in card-present transactions. The skimmed card data is used for online, card-not-present transactions. Several factors play a role in the price data, including the validity, date of compromise, geography, card type, and available balance. So why release it for free?
As previously mentioned, the breach date of the card data indicates that it may be difficult to sell within the shop. Further, the validity of the card data will likely indicate a low sale price. The release of 1M credit cards is likely an instance of guerilla marketing in an effort to attract new customers, and suppliers. This is further evidenced from public messaging on the Jabber server.
AllWorldsCards releases information via Exploit’s Jabber server, though they don’t appear to maintain a presence on that forum. Card shop administrators have historically relied on their connections to identify suppliers, or utilized direct messages on forums. AllWorldsCards unconventional advertisements on forums as well as the Jabber server of a top-tier forum Exploit, singles them out as a very open and ambitious shop, who are not looking to sell cards but are also interested in supporting the cybercrime community. This is also underscored by their sponsorship of the article competitions on XSS.
Turn Insight into Action with the Flashpoint Compromised Credit Card Platform
Flashpoint delivers the market-leading compromised credit card fraud monitoring tool to top financial institutions. Sign up for your demo now, and see firsthand how financial institutions identify exposed credit cards and understand the key context behind the breach.