What Fraud Teams Need to Know About Joker’s Stash
By Ian Gray and Max Aliapoulios
The ecosystem for stolen credit card information comes in several varieties, ranging from low-tier markets selling recycled cards from past breaches, to those at the top tier, with unused card data that is often sourced directly from a breach. Joker’s Stash comprises the latter, and has become one of the most popular card shops for stolen credit cards from online and physical transactions since its inception in 2014. In 2015, the card shop diversified its criminal offerings by additionally offering personally identifiable information, including Social Security numbers.
The latest news from Joker’s Stash arrived on Oct. 29 when more than 1.3 million credit and debit card details were added to the shop, reportedly from banking customers in India. The information was released as a dump; dumps are normally credit card numbers captured using a skimmer installed on a physical device. Cards, meanwhile, are often sourced from online, card-not-present (CNP) transactions, and include information such as the card number, expiration date, and cardholder name.
While the India dump is one of the largest ever added to Joker’s Stash, the source is still unknown. Since the start of 2018, there have been numerous instances of breached data added to Joker’s Stash. These include card data stolen from the Hy-Vee supermarket chain—dubbed the Solar Energy breach—that was disclosed in August, and February’s so-called Davinci breach, all of it stolen from merchants using point-of-sale malware, or from ATMs using skimmers and other such illicit tools. On Joker’s Stash, there are noticeable spikes in the delta of the number of cards available when each of these breaches were released.
A recent Flashpoint paper on the pricing of illicit goods on the underground, meanwhile, shows that the going rate for cards can fluctuate depending on freshness, country of origin, expiration dates, and other factors. Below is a graphic illustrating the average monthly price of CVVs and dumps on Joker’s Stash in USD throughout this calendar year.
The upshot is that because Joker’s Stash is the most notorious illicit card shop on the internet, organizations must have some kind of visibility into the card and personal data available on the shop in order to curtail the potential impact of a breach. Insight and analysis of card data available on Joker’s Stash, especially when combined with qualitative information such as advertisements of breached data, confidently allows cyber threat intelligence and fraud teams to quickly identify their potential exposure and mitigate the impact. We believe that combining these two areas of analysis of the cybercriminal underground allows fraud teams to be proactive, and reduce false positives or negatives, that a breach has occurred.
Fraud teams in particular find it most valuable to understand what card data is available and the timing of its availability on Joker’s Stash in order to help them identify the common point of purchase (CPP) of compromised cards. This leads to the identification of the source of a breach geographically, below, and/or institutionally. Fraud teams consider the ability to analyze CPP as the most reliable way to determine the source of a breach and stem its potential impact.
Joker’s Stash, meanwhile, being one of the more mature and thriving underground markets, invests in its viability. One example is its move to using Blockchain DNS, a peer-to-peer blockchain name system that allows website visitors to avoid attempted ISP or government censorship or surveillance.
In terms of analysis, the shift to Blockchain DNS also devalues looking at things such as a spike in domain registrations as a sign of an impending breach. In the case of Joker’s Stash, the site’s operators tend to be boastful about upcoming breach-data releases, making it less advantageous to fraud and CTI teams to look solely at domain registration as an indicator of an impending breach. This is likely less of an indicator that a breach has already occurred.
While Joker’s Stash is one prominent venue of fraud activity, it’s far from the only one. The sales and turnover of these underground communities have an effect on the movement and spread of cybercrime, which is why also monitoring the conversations and activity occurring on other card shops, forums, and encrypted chat communication applications is crucial for understanding the ecosystem.
In the end, fraud teams and CTI teams inside financial services organizations and retailers require visibility and expert analysis into shops such as Joker’s Stash in order to use that data to predict breaches and curtail their impact.