Over 750,000 debit and credit cards for sale found on the deep web

ThreatLandscape’s threat intel platform reports a deep-web site has over 700,000 Indian card details from over fifteen banks.

Abhishek Bhuyan
Feb 23, 2018 · 4 min read

Despite all the scaremongering by popular media, the Internet’s dark side, hyped as the Deep Web or the Dark Web, isn’t actually all that big. It is overestimated, often to silly proportions, by folks not really familiar with the intended connotation of ‘dark web’, clubbing everything unindexed and password protected with all that’s concerning.

That doesn’t mean it is any less threatening than its made out to be, especially this year. After Android.banker.A2f8a targeted top Indian banks like HDFC Bank, ICICI Bank, and Axis Bank, we can now confirm that almost 700,000 Indian credit card details are available for purchase as low as $4.90 a piece. While we can’t comment on whether it was Android.banker.A2f8a, the flavor of card data available, the number of source countries, and the frequency of data updations tells us this is one or a number of banking trojans at work.

Image for post
Image for post
Trending data from ThreatLandscape Cyber Solutions’ threat intel platform shows Dridex right at the top

ThreatLandscape’s threat intel platform, crawling both open and the darker deep web, detected cvv-me.su and flagged it for further investigation. After some cursory research, it became clear CVV.ME, true to its name, didn’t just have names, card numbers, and other demographic info but also CVVs, those three little numbers on the back of credit cards that, in most countries, are the last line of defense against card theft.

Image for post
Image for post
Total cards with CVVs over 750,000 available for as low as $4.90

Sophisticated in its design, full-filter enabled, and offering live chat support, CVV.ME allows one to see card details by country, CVV, and even SSN. For verification, it allows buyers to see Bin, the Base (indicating the source of collection) and a confidence score on validity. Cards from the US cost between $9.99 to $19.99 a piece.

Image for post
Image for post
At over 700,000, India’s the most affected country on the site by far

https://cvv-me.su was registered on 25th August, 2016 and last updated on 23rd February, 2018.

Image for post
Image for post
Zappie didn’t really zap CVV.ME

While it was taken down on 5th August, 2017, it came back up a couple days later and as of the writing of this article, it was alive and kicking with updates (read: fresh data) coming in with alarming frequency.

Image for post
Image for post

First registered by baenko-marina@bk.ru, the owner’s e-mail was later changed to gergk34@mail.ru. Further analysis showed 11 similar domains associated with the op.

c-v-v.su | cvv-com.su | cvv-market.su | cvv-net.su | cvv-online.su
cvv-pro.su | cvv-ru.su | cvvme-shop.su | cvvme-store.su | validcc-market.su | validcc-su.su

They even run these sites on SSL certs from GlobalSign and COMODO thus lending to the idea that this isn’t a bunch of kids playing in the banks’ backyards. Folks behind the op also take care to change the hosting server once every month or so as they gain popularity and become open to takedowns.

CVV.ME isn’t the only one of its kind of course. UniCC, among many, many others, even has a promotional YouTube video exhorting their commitment to ‘your profits’.

On 29 January, 2018, a huge dump of Indian credit cards’ details was added to the site.

Image for post
Image for post
HDFC was the worst affected private sector bank with 112,264 cards available for purchase

Almost all the top Indian banks found mention on the site with Bank of India at #1 with 133,912 cards closely followed by HDFC with 112,264 and SBI at #3 with 106,694 cards.

Image for post
Image for post
© ThreatLandscape Cyber Solutions, 2018

While some reports suggested Punjab National Bank had only 1,000 to 10,000 of its customers affected, we found CVV.ME has 22,390 of the bank’s customers’ details on it at the time of publishing, adding to the bank’s current woes.

We tried getting an operator of the site to respond to what we thought would be an interesting query but nada. The site’s hosted in Russia so we’re hoping they’re asleep and will respond when they wake up. Or maybe they’re inundated with orders and don’t really care for queries about the quality of the data. After all, $4.90 isn’t a lot at all even for cards with low credit limits.

Image for post
Image for post
We’ll keep trying but we don’t hope to hear back

ThreatLandscape is a cyber threat intel solutions company monitoring the open and the scarier aspects of the deep web for brand mentions, infrastructure disclosures, third-party data leaks, and more. Our human+machine intelligence framework allows us to not just quickly alert our customers to sites like CVV.ME but also work with authorities to remediate such situations.

Beyond The Perimeter

Exploits in the wild. Stories from our desk.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store