- The year 2020 involved drastic shifts to the underground payment card economy. Gemini identified breaches of 384 merchants and with a combined 1,425 exposed locations across 48 states and ten countries/territories. While Card Not Present (CNP) fraud continued to increase, demand for Card Present (CP) records has plummeted since March’s COVID-19 lockdown restrictions.
- Magecart attacks were popular prior to the pandemic, but became more attractive as a means of attacking e-commerce sites as cybercriminal demand for CNP records increased. E-commerce fraud adapted through fraudulent shops originally advertising medical supplies, and later clothing and recreation, all in order to convince shoppers to input their sensitive card data.
- Due to COVID-19 travel restrictions, fraud schemes related to travel were severely diminished. However, in October, many countries began relaxing travel restrictions, briefly allowing travel services fraud to rebound. This may indicate how quickly the underground economy can adapt to a post-COVID world.
- Gemini assesses with high confidence that CNP fraud is likely to continue proliferating at an increasing rate, just as scam shops and Magecart attacks are likely to increase. Gemini Advisory also assesses with moderate confidence that both the supply of and demand for stolen CP records, as well as travel fraud, are likely to approach pre-pandemic levels as COVID-19 lockdown restrictions relax around the world.
The year 2020 involved drastic shifts to the underground payment card economy. Some of these were the continuation of existing trends, while others resulted from the COVID-19 pandemic. Gemini Advisory’s coverage of the dark web ecosystem provided insight into the most significant shifts in the fraud threat landscape and the reasons underlying these developments.
Certain core features of the dark web payment card economy remained the same. Of the 115 million compromised cards that Gemini observed in 2020, 87 million came from the United States, which has been the leading target for card fraud since this underground economy emerged. The shift towards Card Not Present (CNP) records has continued as the world is increasingly digital and transactions increasingly take place online.
However, COVID-19 and the quarantine measures associated with its containment have created some new shifts. While CNP fraud continues to increase, demand for Card Present (CP) records has plummeted since March, when Europe and the United States implemented severe lockdown restrictions. The lack of opportunities to conduct in-person transactions has limited the cashout potential of stolen CP data, and thus devalued the product. The supply of CP records nonetheless remains high, allowing for the possibility that CP card demand rebounds to pre-pandemic levels once lockdowns are lifted.
Supply and Demand
In 2020, the yearly supply of compromised CP records in dark web marketplaces decreased by 10% to 70 million, marking the first drop in three years after posting 50% year-over-year (YoY) growth in 2018 and 25% in 2019. Furthermore, demand for CP records declined by 40% after showing 150% YoY growth last year. When looking specifically at the past eight months of the COVID-19 pandemic, the drop is more dramatic with demand declining by 60% as compared to the preceding period. Gemini assesses with high confidence that the drop in demand for CP records and the accompanying reduction in supply is the result of the COVID-19 pandemic and lockdown restrictions.
Since 2017, the yearly supply of compromised CNP records in dark web marketplaces has continued to increase at a consecutively smaller rate of increase, resulting in 40 million cards exposed in 2020 and a corresponding 20% YoY increase from 2019. Similarly, demand for CNP records rose in 2020 with a 20% YoY increase. Whereas the data strongly suggests that the COVID-19 pandemic caused a drop in demand for CP records, the data does not indicate a strong relationship between the pandemic and demand for CNP records.
For the third year in a row, roughly 90% of exposed CP cards and 50% of exposed CNP cards added to the dark web were issued by the United States. The consistently high percentage of exposed CP cards is due to lower EMV chip usage and adoption requirements in the United States as compared to other developed countries. For the second consecutive year, the second-highest issuer of CP cards was South Korea and the second-highest issuer of exposed CNP cards was China. While supply and demand for CP records from large non-Western economies exploded in 2019, exceeding the growth rate witnessed in Western countries, the pandemic appears to have more strongly affected the market for non-Western CP records as both supply and demand have dropped by over 50% in this period. A similar though less extreme dynamic was observed with CNP records from non-Western economies: significant YoY growth in 2019 followed by a decline in supply and a leveling of demand in 2020 during the pandemic.
CPP Overview & Significant Breaches
In 2020, Gemini identified breaches of 384 merchants with a combined 1,425 exposed locations across 48 states and ten countries/territories. Analysts mapped the US locations, which consisted of the majority of data points, to indicate which regions, states, and cities were most heavily affected. Blue points represent CP breaches and refer to the physical location of the breached merchant. Orange points represent CNP breaches and refer to the physical headquarters of the company operating the website that was breached.
Image 1: The affected CPP locations are spread across the continental United States with a particular concentration in urban coastal regions. Blue points represent CP locations and orange points represent CNP locations.
Card Present (CP)
From the 279 CP breaches identified by Gemini, analysts determined that CP infections remained within victims’ network and point-of-sale (POS) devices for five to ten months on average, and that the majority of CP exposures in 2020 continued to come from restaurants and bars. These establishments have been the primary target of CP breaches for the past several years because they often still use outdated point-of-sale (POS) systems that only accept swipe transactions, a less secure payment method than EMV chip-enabled transactions. Importantly, however, 2020 also witnessed the emergence of EMV-Bypass Cloning, a technique that allows cybercriminals to collect data from EMV card transactions with a sniffer and then create cloned copies for swipe transactions from the collected data.
In 2020, three of the most significant CP breaches were published by Joker’s Stash, a dark web marketplace specializing in large-scale breaches released over extended periods of time:
- In late December 2019, Joker’s Stash began publishing compromised CP records from nearly all 900 locations of Wawa, an East Coast-based convenience store and gas station chain. Since last December, the breach has resulted in 17 million exposed cards with Joker’s Stash claiming the breach compromised a total of 30 million cards.
- Shortly after the announcement of the Wawa breach, Joker’s Stash released compromised cards from breaches of Islands Fine Burgers & Drinks and Champagne French Bakery Cafe, two unrelated restaurant chains with a heavy presence in California. The combined card exposure from these two breaches has risen to over one million in 2020.
- In October 2020, Joker’s Stash announced the breach of Dickey’s Barbecue Pit, claiming it had stolen 3 million cards. To date, 250,000 cards from over 150 of Dickey’s Barbecue Pit locations have been uploaded to the dark web. Dickey’s Barbecue Pit is a restaurant chain with 432 locations (411 of which are currently open) across 42 states.
- Gemini Advisory found approximately 1 million cards linked to a breach of Key Food Stores Co-Operative Inc., a network of US grocery stores. They were exposed from August to December 2019 and posted to a different top-tier dark web marketplace. Significantly, many of the compromised cards had been used in EMV transactions, indicating that the fraudsters relied on EMV-Bypass Cloning. The cards came from 77 Key Food Stores locations in a handful of states, with the largest concentrations in New York, New Jersey, and Connecticut.
Image 2: The most affected states by CPP volume were Pennsylvania, New Jersey, and Florida.
Card Not Present (CNP)
Gemini identified 105 CNP breaches in 2020 and observed that threat actors relied on both established methods, such as Magecart-based attacks, as well as turning to increasingly sophisticated phishing attacks. On average, victims’ e-commerce sites that were targeted by a CNP-based breach remained infected from 15 days to over a month, with some infections lasting as long as two to four months. While clothing retailers continued to be a common target of CNP breaches, Gemini specifically observed a noticeable uptick in the number of infected sites selling CBD and vaping products. Furthermore, in direct response to in-person dining restrictions due to the COVID-19 pandemic, cybercriminals began to target the websites of restaurants offering online ordering in Q3 and Q4 2020.
Three of the most significant CNP breaches in 2020 display both the scale of exposures and the distinct methods used by cybercriminals to compromise e-commerce sites:
- In the summer of 2020, cybercriminals released nearly 100,000 compromised cards to a top-tier dark web marketplace from a breach of Claire’s Boutique, a jewelry, clothes, and accessories retailer. According to Sansec, a company specializing in e-commerce malware and vulnerability detection, the Magecart attack used in this breach shared similar indicators of compromise (IOCs) and characteristics with a North Korean advanced persistent threat (APT) group.
- More recently, in November 2020, Gemini identified nearly 150,000 compromised cards associated with the breach of several related sites that provide background search and record query services. The popular sites receive hundreds of thousands of monthly visitors and appear to have been exposed for over 10 months. These cards were also posted to a top-tier marketplace.
Existing Trends: Magecart
Another TTP observed was the use of the Scalable Vector Graphics (SVG) element as a script-hiding technique. Actors transformed their scripts into character codes and implanted them on victim sites within the SVG element and its sub-elements. Actors also tried to find a way around iFrame payment systems by injecting false payment fields into checkout forms to collect card information. Data exfiltration techniques additionally evolved, with actors adding WebSocket connections to their skimmers, allowing for near-real-time data collection and transport. This technique also offers the advantage of card collection even if the transaction is not fully completed, since the data is collected as it is entered versus waiting for the final submit button to be pressed. Overall, Gemini observed that cybercriminals primarily targeted online shops running outdated versions of e-commerce platforms like Magento. The most notable target was Magento 1.x, which remains in widespread use despite being deprecated in summer 2020 and no longer receiving security updates.
Emerging Trend: Scam Shops
E-commerce fraud saw a broad range of new and improved TTPs in 2020. At the beginning of the COVID-19 pandemic, hundreds of fraudulent e-commerce shops were set up to capitalize on the demand for medical supplies. These sites charged customers for products that were not delivered while also collecting payment card information for sale on the dark web marketplaces. As the pandemic progressed and shopping patterns shifted towards consumer goods such as clothing and recreation, these actors followed along and adapted their merchandising tactics. These types of e-commerce shops appear to be legitimate and advertise goods across the internet. They often attract customers through sizable discounts, which may appear suspicious in regular times, but gained credibility as increasing volumes of closing stores offered clearance sales. This was additionally compounded around Black Friday.
To conduct the scam, fraudsters create an e-commerce shop to advertise and sell their goods. When the customers place a purchase, the shop collects their payment card data and personally identifiable information (PII), which the fraudsters sell on dark web marketplaces. Finally, the fraudsters deliver the customers faulty products, or none at all. Gemini has noted a spike in scam shop-related fraud, particularly related to Chinese-registered shops.
Gemini Advisory has identified one group of China-based e-commerce fraudsters contributing to this spike that operates hundreds of scam sites and has exposed tens of thousands of US and international payment card records and individuals’ PII over the past six months. Almost 200 of the nearly 600 sites identified by Gemini were linked to the Chinese acquiring bank Jilin Jiutai Rural Commercial Bank Co., Ltd. This new fraud scheme has proved dangerously effective in the COVID-19 environment.
Prospective Trends: Travel Services Fraud
Due to COVID-19 travel restrictions, fraud schemes related to travel were severely diminished. However, in October, many countries began relaxing travel restrictions and opening their borders to tourists. This revitalized a form of fraud that had diminished under COVID-19: travel services fraud. In this scheme, cybercriminals advertise discounted travel services to other fraudsters or to unknowing customers. They may offer accommodations, flights, wedding ceremonies, vehicle and boat rentals, helicopter tours, and excursions at very low rates; these rates are possible because they leveraged compromised accounts and loyalty points, identity obfuscation, or partnerships with hotel owners and vacation rental hosts, among other tactics. The airline industry alone loses nearly $1 billion per year due to the fraudulent online purchase of flight tickets, according to Interpol.
The rapid resumption of travel services fraud during October’s relaxed lockdown restrictions demonstrates how quickly cybercriminals adapt to changing conditions. What turned out to be merely a temporary lull in the virus’ spread already kickstarted a declining form of fraud. If this pattern holds, then travel services fraud will likely see another resurgence as travel increases in the final days of the pandemic. This would also indicate that other declining forms of fraud, including demand for CP records, will similarly resume once lockdown restrictions relax. The travel fraud that declined, briefly rebounded, and declined again in 2020 may well be an indication of travel fraud as a trend on the horizon of 2021, soon to rise again.
Gemini has observed several drastic developments in 2020. Existing trends towards CNP fraud have been exacerbated by COVID-19, which has also severely dampened demand for CP records. The United States remained the largest target of fraud, although non-Western economies are increasingly targeted. Magecart attacks, already a popular method of targeting e-commerce platforms, became more sophisticated. Scam shops became an emerging trend, particularly those hosted in China, to capitalize on the pandemic conditions. Travel fraud suffered alongside CP demand but quickly bounced back when travel briefly appeared to be opening again in October; this may indicate a similar return of CP fraud when in-person transactions again become the norm.
A series of breaches that Gemini covered have illustrated these trends and the deployment of new techniques. Gemini assesses with high confidence that CNP fraud is likely to continue proliferating at an increasing rate, just as scam shops and Magecart attacks are likely to increase. Gemini Advisory also assesses with moderate confidence that both the supply of and demand for stolen CP records, as well as travel fraud, are likely to approach pre-pandemic levels as COVID-19 lockdown restrictions relax around the world.
Gemini Advisory Mission Statement
Gemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.