October 29, 2019

Reporting on the exposure of some 26 million stolen credit cards leaked from a top underground cybercrime store highlighted some persistent and hard truths. Most notably, that the world’s largest financial institutions tend to have a much better idea of which merchants and bank cards have been breached than do the thousands of smaller banks and credit unions across the United States. Also, a great deal of cybercrime seems to be perpetrated by a relatively small number of people.

In September, an anonymous source sent KrebsOnSecurity a link to a nearly 10 gb set of files that included data for approximately 26 million credit and debit cards stolen from hundreds — if not thousands — of hacked online and brick-and-mortar businesses over the past four years.

The data was taken from BriansClub, an underground “carding” store that has (ab)used this author’s name, likeness and reputation in its advertising since 2015. The card accounts were stolen by hackers or “resellers” who make a living breaking into payment card systems online and in the real world. Those resellers then share the revenue from any cards sold through BriansClub.

KrebsOnSecurity shared a copy of the BriansClub card database with Gemini Advisory, a New York-based company that monitors BriansClub and dozens of other carding shops to learn when new cards are added.

Gemini estimates that the 26 million cards — 46 percent credit cards and 54 percent debit cards — represent almost one-third of the existing 87 million credit and debit card accounts currently for sale in the underground.

“While many of these cards were added in previous years, more than 21.6 million will not expire until after October 2019, offering cybercriminal buyers ample opportunity to cash out these records,” Gemini wrote in an analysis of the BriansClub data shared with this author.

Cards stolen from U.S. residents made up the bulk of the data set (~24 million of the 26+ million cards), and as a result these far more plentiful cards were priced much lower than cards from banks outside the U.S. Between 2016 and 2019, cards stolen from U.S.-based bank customers fetched between $12.76 and $16.80 apiece, while non-U.S. cards were priced between $17.04 and $35.70 during the same period.

Image: Gemini Advisory.

Unfortunately for cybercrime investigators, the person who hacked BriansClub has not released (at least not to this author) any information about the BriansClub users, payments, vendors or resellers. [Side note: This hasn’t stopped an unscrupulous huckster from approaching several of my financial industry sources with unlikely offers of said data in exchange for bitcoin].

But the database does have records of which cards were sold and which resellers (identified only by a unique number) supplied those cards, Gemini found.

“While neither the vendor nor the buyer usernames appeared in this database, they were each assigned ID numbers,” Gemini wrote. “This allowed analysts to determine how prolific certain threat actors were on BriansClub and derive relevant metrics from this data.”

According to Gemini, there were 142 resellers and more than 50,000 buyers of the card data sold through BriansClub. These buyers purchased at least 9 million of the 27.2 million cards available.

Image: Gemini Advisory

One reseller in particular (ID: 174,829) offered just shy of 6 million records, posted for $106 million. Of those, almost 940,000 were sold, grossing over $16 million in profits shared between BriansClub and the reseller. In the quote below, a “base” refers to a distinct batch of freshly-stolen card data uploaded to BriansClub.

“For context, the collective price for the entirety of exposed BriansClub records was $566 million, while the total dollar amount of all sold records exceeded $162 million,” Gemini noted. “The top 20 buyers bought 5% of the entire set of records in this shop, while the top 100 buyers accounted for 11%. The shop had a total of 11,000 bases, with most vendors uploading multiple bases.”

Image: Gemini Advisory

All of the 26 million+ card records leaked from BriansClub were shared with multiple trusted sources that work directly with financial institutions to inform them when their customers’ cards go up for sale in the cybercrime underground.

Banks at this point basically have three options. Ignore the report and hope for the best. Cancel the card and reissue. Or monitor the card more closely and place tighter fraud controls on that account.

But here’s the thing: Not all banks got the data at the same time. The larger banks got it first and largely shrugged. At least according to anti-fraud sources at two large U.S.-based financial institutions: Their anti-fraud teams had already identified 90-95 percent of the cards as potentially compromised in one of hundreds of breaches since 2015, mostly those involving malware inside point-of-sale retail checkout systems.

The sources I spoke with at smaller financial institutions found out about the cards they’d issued to customers that wound up in the BriansClub data by receiving alerts last week from Visa and MasterCard. Most of those sources seemed genuinely surprised at the number of cards exposed, and two sources at different credit unions each estimated they were previously unaware of about 80 percent of the cards listed in the alerts from the credit card companies.

Also, smaller financial institutions are far more likely to eat the cost of re-issuing cards at risk of fraudulent use than are larger institutions, which typically have much a higher tolerance for financial losses from counterfeit card fraud. So far, however, there is no evidence this flood of card data intelligence is causing much of a stampede for re-issuing cards.

Visa maintains that smaller financial institutions receive the same alerts sent to larger banks about cards thought to be exposed in specific breaches. The alerts include cards specific to each bank, but smaller banks are often limited in the resources they have available to do much with the reported card data, aside from re-issuing the card.

Gemini CEO and co-founder Andrei Barysevich said so far the feedback from the banks has been all over the place.

“While the larger US banks told us that most of the cards have been previously flagged as compromised, the mid and small size financial institutions were caught completely off-guard,” he said. “As to the European and Asian banks, to them the data was mostly new, in some cases upwards of 60% of cards were still open and active.”

I thought perhaps the card associations could provide some meta-statistics on the BriansClub dump, but also those hopes were dashed. MasterCard did not respond to requests for comment. Visa declined to share any information related to the BriansClub database (even though they got it indirectly care of Yours Truly), but issued the following statement:

“As part of our core mission to ensure security across the payment system, we are very aware of carder forums and other criminal enterprises. Visa continuously invests in intelligence and technology to detect cyber threats and works with law enforcement, clients and other partners, to mitigate and disrupt such threats.

“Whenever we discover compromised account information, Visa uses its payment intelligence and investigative capabilities to determine the source. We also work with our financial institution clients to provide card issuers with the compromised account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, by reissuing cards. Incidents such as these reinforce the need for secure technologies such as chip and tokenization to devalue account information so that even if stolen, data cannot be leveraged for fraud.””

Gemini found that exactly two-thirds of the stolen cards (66.6 percent) siphoned from BriansClub were Visa-branded, and 23 percent MasterCard. A full 85% of the total records were EMV (chip) enabled, with the remaining 15% using only a magnetic stripe.

One final note: The Gemini report also challenges claims made by the administrator of BriansClub, namely that he removed the breached cards from his online store and that the data leak stemmed from a breach in February as his site’s data center.

The BriansClub admin, defending the honor of his stolen cards shop after a major breach.

“While the administrator of BriansClub, operating under the moniker ‘Brian Krebs,’ claimed that the breach took place in February 2019, this appears to be false,” Gemini observed in its report. “The number of records from South Korea corresponds to a previous spike in South Korean records that occurred from March 2019 through July 2019. If BriansClub were breached in February, the South Korean-issued cards would number under 10,000 rather than over 1 million.”

The report continues:

“This threat actor also claimed to have removed the compromised records from the shop. Gemini has found this claim to be false as well. Since BriansClub offers a ‘checker service’ for all purchased records to determine whether compromised payment cards are still open, it may be unnecessary to remove the cards. The shop likely assumes that even if the banks received the compromised card data from this breach, they are unlikely to close down and reissue every single card.”


27 thoughts on “Takeaways from the $566M BriansClub breach

  1. Eric J

    Soooo, I always wondered how your site makes revenue…(kidding)

    So once you unmask the briansclub admin, you should make an ironically named anti-carder site named after the admin. Nice story!

    1. John

      This is an ironically named anti-carder site aimed at the carder… lol

  2. The Sunshine State

    “Also, smaller financial institutions are far more likely to eat the cost of re-issuing cards at risk of fraudulent use than are larger institutions, which typically have much a higher tolerance for financial losses from counterfeit card fraud. So far, however, there is no evidence this flood of card data intelligence to the banking sector is causing much of stampede for re-issuing cards”

    The financial institutions just pass the loss off with higher interest rates for credit cards and loans to make up for the lost revenue.

    1. timeless

      There’s a competitive limit here. If bank A raises its charges by X and bank B doesn’t, some of bank A’s customers may flee bank A for bank B.

      It’ll depend on the local/regional market, but sometimes banks will be forced to eat costs out of their profits as opposed to increasing visible charges.

  3. Marcus Aurelius Tarkus

    “Also, a great deal of cybercrime seems to be perpetrated by a relatively small number of people.”

    Shall we call them the Criminoligarchy?

  4. LauraW

    .. I received the breach alert from visa and reissued all the cards on the same day.

  5. Notme

    Interesting that the big dogs just shrug and say “ we already knew about this”. It’s always the consumer who has to watch out for misuse of the card and deal with reporting charges that are invalid. Even when they already knew the card data was for sale.

    Thanks for shining the light once again!

    1. Hershel

      It’s kind of disturbing if you think about it. They knew about it, but why didn’t they do anything about it?

      1. johannn wilkerson

        >>They knew about it, but why didn’t they do anything about it?

        Because they don’t have to. IF you notice fraudulent charges on your card, and IF you report it within the requisite time frame, only then does the financial institution have to do anything about it. So there is a non-zero chance that you will end up owning the debt, and be obligated to pay them. This is how they make money, so there is no incentive to get out front and take a 100% chance on losing money on the charge.

    2. DF

      I think you may have misinterpreted what Brian wrote with regards to the “big dogs.”

      “Their anti-fraud teams had already identified 90-95 percent of the cards as potentially compromised”.

      This doesn’t mean that they haven’t acted on this information it just means it wasn’t new information for them. They likely already took steps once their anti-fraud team identified that the card was compromised.

      As the article points out it is the smaller financial institutions that are more likely to not have acted on this rather than the “big dogs.” But that is merely from a lack of resources not a lack of desire to combat fraud.

  6. John S

    When I see that a single reseller grossed over $16 million in profits, I wonder where that money goes. I’m sure it doesn’t go to feed the hungry and house the poor. The thought that it is being used for nefarious purposes really disturbs me.

  7. Readership1

    Have you learned your lesson, yet? Stop sharing information with MC and Visa until they give you proper responses.

    And the big banks are clearly lying when they say they knew most of the numbers. They don’t want to be exposed for having done nothing to prevent financial losses that (indirectly) affect their stockholders.

    Their CEOs are making tremendous salaries while leaving a ton of potential profits on the table, because they’d rather sweep card fraud under the rug. If their stockholders knew how much was lost due to FI laziness, they’d drop the stocks quickly.

  8. Whoever

    Did you clowns read the article? “ Ignore the report and hope for the best. Cancel the card and reissue. Or monitor the card more closely and place tighter fraud controls on that account.”. Those are the 3 choices FIs have. For those banks that identified the cards prior to this release, what makes you think they didn’t choose option 3? It’s not that they knew and did nothing, it’s that they did something other than reissue.

    And for the clown that thinks CEOs sweep card fraud under the rug so he/she can retain a hefty salary, what sense does that make? Fraud losses are an expense, therefore reducing profits. Reissues are an expense therefore reducing profits. Fraud monitoring is an expense therefore reducing profit. Do you think a financial analysis has been conducted to weigh the costs and benefits of each over time? The job of the CEO is to optimize shareholder return and that means they will absorb some losses, some reissue expense and some monitoring expense. Christ, all of you need to go take a course in economics.

  9. Nobody

    There aren’t just those three options for dealing with credit card fraud.

    The fraud problem exists entirely because the financial institutions have set up a system which encourages fraud. In order to pay for something, you have to give someone all the information necessary for someone else to use your card. The fact that this is still how the system works makes me wonder if Visa and Mastercard somehow make money off fraudulent transactions.

    The idea that these large organizations are actually efficient or intelligent just because they make big money is absurd. The bigger an organization is, the greater percentage of pointy-haired bosses and slackers it can accommodate without collapsing. So many other businesses make their bread through the two biggest credit card companies that they have become “too big to fail”. I’m sure the FIs have done a financial analysis, but it’s likely fairly short term since that’s what benefits today’s shareholders best.

    1. timeless

      I’d assume that the network either takes a charge or a percentage of the transaction, just as the payment processor does. It’s probably much smaller, but since they get more transactions, it’d still be valuable.

      Visa seems to iiuc [1]. MasterCard apparently takes it on gross transaction activity [2] which is roughly equivalent, although technically a different step in the process.

      [1] https://www.canstar.co.nz/credit-cards/how-does-visa-make-money/
      [2] https://www.investopedia.com/articles/markets/032615/how-mastercard-makes-its-money-ma.asp

  10. JimV

    Great reporting, as usual Brian! I’m left wondering to what extent the largest grouping of carder miscreants in that listing might be associated with North Korea, as it sure seems like the type of financial fraud involved would be an excellent mechanism for getting around the international sanctions imposed on the country’s weapons program, along with bitcoin and other cryptocurrency thefts and gaming of the value through repeated pump-dump-and-repurchase practices.

  11. vb

    If the retailor who was responsible for the breach, was also responsible for paying for re-issuing cards, the entire problem would be solved rapidly.

    As it stands, the cost of bad retailors is being shouldered by the card issuing banks. That is not fair. The retailors should have a far greater incentive to have adequate point-of-sale systems security.

  12. Dave Horsfall

    You know you’re doing a good job when the ne’er-do-wells rip off your name and reputation; keep up the good work! You have certainly p*ssed off a lot of people…

  13. Jason

    Is this why all the cards I buy from you with the last of my cash are dead?

    How the heck much did you make off that store anyway???

  14. Paul

    Brian,

    Are you able to do an article on ACH fraud as it relates to small businesses? Thank you!

  15. Mark samson

    I Believe Brian krebs is responsible for all that fraud his name and picture are on the site how does brian krebs make his money i think he is in line with the credit card scammers and his articles are a way to advertise his websites

  16. Spinia

    Yes, hackers stole 26 million credit cards, but vigilantes just rescued them.

Comments are closed.