Cybercrime , Fraud Management & Cybercrime , PCI Standards
Joker's Stash Advertises More Stolen Payment Card DataCarder Forum Listing Appears Tied to Breaches at Four Restaurant Chains
A new batch of stolen payment card data has appeared on the notorious Joker's Stash underground marketplace. The new listing appears related to breaches at four different restaurant chains in the U.S. over the last several months, according to a security analysis published this week.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The new breach listing, dubbed "New World Order," first appeared on the Joker's Stash marketplace on Nov. 22, and the batch of data appears to include credit and debit card data stolen from four different restaurant chains that include fast-food chain Krystal, Moe's Southwest Grill, McAlister's Deli, and Schlotzsky's, according to the analysis by Gemini Advisory, which tracks stolen payment card data.
Moe's, McAlister's and Schlotzsky's are all owned by Focus Brands, and the data breach at those restaurants happened between April and July, and then were publicly disclosed on Aug. 23, according to Gemini. These three eateries have a total of 1,500 locations across the U.S.
The breach involving Krystal occurred between July and September and was later disclosed in October, according to the analysis. Krystal has over 340 restaurants across the southeastern U.S.
How Much Data?
Of the 1,750 restaurants targeted by these attacks between April and September, over 50 percent were breached, which meant that millions of credit and debit card numbers were stolen, the Gemini analysis finds.
"These breached locations were concentrated in the southern United States, with the highest exposure in Florida, Georgia, South Carolina, North Carolina, and Alabama," according to the Gemini analysis that was shared with Information Security Media Group.
The Gemini analysis also notes that the delay between the breaches that occurred earlier this year, and data being offered on Joker's Stash starting in November, appears to be an effort to avoid oversaturating the underground marketplace with an excess of stolen payment records.
How much stolen credit card is now for sale on Joker's Stash remains in dispute. Security blogger Brian Krebs, who first reported the new batch of payment card data, writes that there are at least 4 million credit and debit card numbers for sale on the underground forum.
Stas Alforov, Gemini's director of research and development, says that it's too soon to say for how much data is contained in New World Order breach. "The shop [Joker's Stash] often uploads very large breaches in staggered additions of smaller amounts to avoid flooding the market," he tells ISMG.
Tis the Season
One reason that this new listing may have appeared at the end of November is that its coinciding with the holiday shopping season, which starts on Black Friday, Nov. 29. Alforov notes that cybercriminals might be looking for new batches of stolen payment card data in order to take advantage of this burst of commercial activity.
"While Joker's Stash adds large breaches throughout the year, the Black Friday holiday season has particularly high cybercriminal activity," Alforov says. "The influx of records from this shop during this time is likely an attempt to match the shop's supply with increased consumer demand, and the uploads are spread out to avoid oversaturating the dark web market with an excess of stolen payment records."
Slow Drip of Data
In previous reports, other security researchers find that Joker's Stash remains one of the major underground sites specializing in the sale of stolen payment card data. These security analysts have also come across large data dumps periodically on the forum.
As recently as October, Joker's Stash advertised a listing of 1.3 million credit and debit cards, most of which have been issued to Indian banking customers, according to an analysis by security firm Group-IB (see: Joker's Stash Lists 1.3 Million Stolen Indian Payment Cards).
In the case of the stolen payment cards for India, the person or persons behind Joker's Stash slowly pushed the data out to keep interest in the database high and to ensure that prices for the data didn't dip below a certain amount, according to Group-IB.
Joker's Stash is likely to take the same approach to the data stolen from the four restaurant chains, Alforov says.
In many cases, customer data stolen from restaurants and other hospitality companies comes from poor security practices around payment devices and services such as point-of-sale machines.
In some cases, point-of-sale malware, also known as scrapers, can capture unencrypted card details while those are briefly held in a device's RAM. Cybercriminals can also capitalize on vulnerabilities in an organization's infrastructure, then try to move laterally to get access to payment processing systems.
Earlier this week, Catch Hospitality Group, which operates a series of high-end restaurants in New York City, acknowledged that customer data was compromised when someone planted malware on point-of-sale machines (see: Restaurant Chain: Malware Infected PoS Devices).
Any business that accepts, stores, processes and transmits payment card data is supposed to comply with the PCI Data Security Standard, but many companies simply do not follow or fully implement these security regulations. In fact, the Verizon 2019 Payment Security Report survey of more than 300 organizations found that compliance with PCI DSS dropped to 37 percent in 2018 from a peak of 55 percent in 2016 (see: Verizon: Companies Failing to Maintain PCI DSS Compliance).
In his view, Alforov says that many companies, especially hospitality organizations, do not focus on security or keeping up with standards like PCI DSS until a breach happens and executives are held reliable for the loss of data.
"A robust security posture can be expensive and involve training, which these companies may see as unnecessary expenses," Alforov says. "While the cost of effective security is frequently far lower than the cost of handling an unexpected large-scale breach, this calculation may not become clear until after a major breach occurs."