For Sale: Card Data From Online Stores Using VolusionGemini Advisory Finds Data on Dark Web From Compromised Store Checkout Platform
Payment card data stolen last year when hackers compromised online stores that were using the Volusion checkout platform is now surfacing on dark web sites and forums, according to Gemini Advisory, a New York-based consultancy that specializes in anti-fraud services.
Gemini researchers have identified approximately 240,000 records related to the security breach involving these sites, with fraudsters apparently generating about $1.6 million from the sale of stolen data so far, according to the report.
"Compared to other breaches, the 239,000 records currently available in the dark web is fairly large," Christopher J.S. Thomas, an intelligence product analyst with Gemini, tells Information Security Media Group. "However, given the volume of compromised merchants, there are almost certainly many more records to be added, making this undoubtedly a major breach."
The Gemini report confirms earlier research from security firm Trend Micro and others that the hacking of these sites using the Volusion checkout platform are likely the work of Magecart, an umbrella organization comprising a dozen groups that have been attacking e-commerce sites of companies that have included British Airways, Ticketmaster and Newegg over the last two years.
From there, the Magecart group skimmed personally identifiable information from online checkout sites, including customer payment card data and names as well as phone numbers and other data, according to the Gemini report.
While the attack was first uncovered in October, Gemini and Trend Micro found that the hackers may have started compromising data as early as September, with the first bits of credit and payment card information appearing for sale on dark net forums in November.
With increases in data breaches, Gemini and other security analysts have watched a steady stream of stolen payment card and other data appear on several dark net forums.
In January, for example, Gemini found a listing on the forum Joker's Stash for stolen payment card details from the WaWa breach that in December 2019 that compromised as many as 30 million payment cards in 40 states (see: Wawa's Stolen Payment Cards Are Now for Sale).
In October 2019, Joker's Stash listed 1.3 million credit and debit cards of mostly Indian banking customers, according cybersecurity firm Group-IB found (see: Joker's Stash Lists 1.3 Million Stolen Indian Payment Cards).
Thomas says that security standards such as EMV 3D Secure, a messaging protocol that enables consumers to authenticate themselves with their card issuer when making card-not-present e-commerce purchases, should help stop cybercriminals from using this type of stolen data. But, unfortunately, many online merchants are not yet using EMV.
"In theory, EMV adoption prevents fraudsters from successfully cashing out skimmed cards, but in practice, many merchants often do not comply with EMV adoption standards," Thomas says. "This creates an opening that cybercriminals can and do exploit."
Managing Editor Scott Ferguson contributed to this report.