A massive cyber attack that targeted BriansClub, an underground store selling stolen credit and debit card records, resulted in the recovery of as many as 26 million credit and debit card records that included data stolen from hacked online and brick-and-mortar retailers since 2016.
While it is common for one to come across news about hackers hijacking devices used by retailers to steal customers’ payment card records and re-sell them on Dark Web marketplaces, it is quite uncommon to read about thieves losing large chunks of stolen data to equally-effective cyber attacks.
Earlier today, security researcher Brian Krebs revealed that BriansClub, an underground forum frequented by cyber criminals and which spoofs his own website, suffered a major cyber attack that resulted in the loss of up to 26 million credit and debit card records. These records were stolen from hacked online and brick-and-mortar retailers over the past four years and were put up for sale on the underground website.
According to Krebs, credit and debit card records recovered from BriansClub included 1.7 million card records stolen from online and brick-and-mortar retailers in 2015, 2.89 million records stolen in 2016, 4.89 million records stolen in 2017, 9.2 million records stolen in 2018, and another 7.6 million records that were stolen by various hackers between January and August this year.
The hacking of BriansClub took place sometime last month and Krebs was made aware of it by a source who shared the recovered dump with him via plain text. Further analysis of the hacked data, as well as a look at BriansClub’s pricing tiers for card records, indicated that the underground site stored stolen information worth approximately $414 million (£325.3 million).
Loss of 26m credit and debit card records could cripple BrianClub’s finances
Allison Nixon, director of security research at Flashpoint, told Krebs that between 2015 and August this year, BriansClub sold 9.1 million stolen credit cards, earning $126 million in the process. However, considering that US law enforcement authorities value each stolen card record at $500, the underground store suffered around $2.27 billion in lost earnings.
The underground store more or less functions as a reselling forum where hackers upload stolen credit and debit card records and earn a percentage of the sales once a sale has been completed. Stolen payment card records are frequently uploaded to the website, sometimes in the tens of thousands and prices are fixed based on the utility of each record to buyers.
According to Krebs, more than 50 percent, or over 14 million out of the 26 million credit and debit card records recovered from BriansClub may still be valid, indicating that the cyber attack may have inflicted huge losses on its propreiters.
“With over 78% of the illicit trade of stolen cards attributed to only a dozen of dark web markets, a breach of this magnitude will undoubtedly disturb the underground trade in the short term. However, since the demand for stolen credit cards is on the rise, other vendors will undoubtedly attempt to capitalize on the disappearance of the top player,” said Andrei Barysevich, co-founder and CEO at Gemini to Krebs.
“Whether you’re running a global enterprise, a startup, small business or a shop for stolen data there are several truths in cybersecurity. First, the attackers define the rules of the attack and the best you can do is defend against their actions. Second, the only data ever taken is data available for the taking,” says Tim Mackey, Principal Security Strategist at Synopsys CyRC.
“When designing your data collection and storage procedures, it’s critical to look at all data operations through the lens of what would happen if there was absolutely nothing preventing your biggest competitor or worst enemy from downloading that data. Is all the data appropriately encrypted? Are all access attempts audited? Is modification controlled?
“For these questions, and many more, the next question becomes one of “How” and it’s how you approach these questions and their answers which distinguishes a successful cybersecurity initiative from one likely to make the news for the wrong reasons,” he adds.