Over 750,000 debit and credit cards for sale found on the deep web

ThreatLandscape’s threat intel platform reports a deep-web site has over 700,000 Indian card details from over fifteen banks.

Abhishek Bhuyan
Feb 23, 2018 · 4 min read

Despite all the scaremongering by popular media, the Internet’s dark side, hyped as the Deep Web or the Dark Web, isn’t actually all that big. It is overestimated, often to silly proportions, by folks not really familiar with the intended connotation of ‘dark web’, clubbing everything unindexed and password protected with all that’s concerning.

That doesn’t mean it is any less threatening than its made out to be, especially this year. After Android.banker.A2f8a targeted top Indian banks like HDFC Bank, ICICI Bank, and Axis Bank, we can now confirm that almost 700,000 Indian credit card details are available for purchase as low as $4.90 a piece. While we can’t comment on whether it was Android.banker.A2f8a, the flavor of card data available, the number of source countries, and the frequency of data updations tells us this is one or a number of banking trojans at work.

CVV.ME: The latest in a series of brazenly open credit card hawkers

ThreatLandscape’s threat intel platform, crawling both open and the darker deep web, detected cvv-me.su and flagged it for further investigation. After some cursory research, it became clear CVV.ME, true to its name, didn’t just have names, card numbers, and other demographic info but also CVVs, those three little numbers on the back of credit cards that, in most countries, are the last line of defense against card theft.

Sophisticated in its design, full-filter enabled, and offering live chat support, CVV.ME allows one to see card details by country, CVV, and even SSN. For verification, it allows buyers to see Bin, the Base (indicating the source of collection) and a confidence score on validity. Cards from the US cost between $9.99 to $19.99 a piece.

CVV.ME lives despite takedown attempts

https://cvv-me.su was registered on 25th August, 2016 and last updated on 23rd February, 2018.

While it was taken down on 5th August, 2017, it came back up a couple days later and as of the writing of this article, it was alive and kicking with updates (read: fresh data) coming in with alarming frequency.

First registered by baenko-marina@bk.ru, the owner’s e-mail was later changed to gergk34@mail.ru. Further analysis showed 11 similar domains associated with the op.

c-v-v.su | cvv-com.su | cvv-market.su | cvv-net.su | cvv-online.su
cvv-pro.su | cvv-ru.su | cvvme-shop.su | cvvme-store.su | validcc-market.su | validcc-su.su

They even run these sites on SSL certs from GlobalSign and COMODO thus lending to the idea that this isn’t a bunch of kids playing in the banks’ backyards. Folks behind the op also take care to change the hosting server once every month or so as they gain popularity and become open to takedowns.

CVV.ME isn’t the only one of its kind of course. UniCC, among many, many others, even has a promotional YouTube video exhorting their commitment to ‘your profits’.

India came late to the party but with a bang nonetheless

On 29 January, 2018, a huge dump of Indian credit cards’ details was added to the site.

Almost all the top Indian banks found mention on the site with Bank of India at #1 with 133,912 cards closely followed by HDFC with 112,264 and SBI at #3 with 106,694 cards.

While some reports suggested Punjab National Bank had only 1,000 to 10,000 of its customers affected, we found CVV.ME has 22,390 of the bank’s customers’ details on it at the time of publishing, adding to the bank’s current woes.

CVV.ME isn’t a great talker. :-)

We tried getting an operator of the site to respond to what we thought would be an interesting query but nada. The site’s hosted in Russia so we’re hoping they’re asleep and will respond when they wake up. Or maybe they’re inundated with orders and don’t really care for queries about the quality of the data. After all, $4.90 isn’t a lot at all even for cards with low credit limits.

ThreatLandscape is a cyber threat intel solutions company monitoring the open and the scarier aspects of the deep web for brand mentions, infrastructure disclosures, third-party data leaks, and more. Our human+machine intelligence framework allows us to not just quickly alert our customers to sites like CVV.ME but also work with authorities to remediate such situations.

Beyond The Perimeter

Exploits in the wild. Stories from our desk.