In a matter of poetic justice, an online fraud bazaar that is known to be selling stolen credit card data, BriansClub, has been hacked, revealing more than 26 million credit and debit card records, which the forum has gathered from hacking online and brick-and-mortar retailers.
The hacked database of stolen credit card information was shared by a source to the cybersecurity expert, Krebs on Security, whom the identity of the source was withheld. According to Krebs, a source has shared with him a plain text file containing what was then alleged to be the full database of credit card information being sold (and has been sold) through BriansClub.
Based on the investigation made by Krebs and his colleagues, the entries in the database given to him by his source matched up with the entries of stolen credit cards that are currently listed in the product page of BriansClub, confirming that the said leaked database contains the inventory of hacked financial information that the platform is offering to other fraudsters. He said that all the database taken from the underground credit card store was “shared with multiple sources who work closely with financial institutions to identify and monitor or reissue cards that show up for sale in the cybercrime underground.”
The expert, through his blog post, described the leaked database as containing “dumps.” According to Krebs, these are strings of binary numbers, ones, and zeroes, which could be used by the “buyer” to encode onto anything with a magnetic stripe that mimics the size of an actual credit card. The buyer, through the make-shift credit card, will then be able to purchase anything, including high priced items, from any stores that honor credit or debit card payments.
“Most of what’s on offer at BriansClub are “dumps,” strings of ones and zeros that — when encoded onto anything with a magnetic stripe the size of a credit card — can be used by thieves to purchase electronics, gift cards, and other high-priced items at big box stores,” the blog post reads.
The use of magstripes in financial cards has since been changed by the financial sectors to the standard EMV cards to ensure that things like this would not happen. However, there are still some banks and financial service providers that still keep on using magstripe cards for their legacy services.
As estimated by Krebs, with approximately $500 loss for every cardholder whose data was in the database, BriansClub could have generated as much as $4 billion in losses from roughly nine million cards it has already sold to problematic buyers since 2015.
But that’s just the revenue the platform earns for cards that have already been sold. According to the report in Krebs blog, “BriansClub added just 1.7 million card records for sale. But business would pick up in each of the years that followed: In 2016, BriansClub uploaded 2.89 million stolen cards; 2017 saw some 4.9 million cards added; 2018 brought in 9.2 million more.”
Allison Nixon, the company’s director of security research, said the data suggests that between 2015 and August 2019, BriansClub sold roughly 9.1 million stolen credit cards, earning the site $126 million in sales. He noted that all of these transactions had been made in Bitcoin.