February 3, 2021
E-gift cards falling into the hands of malicious individuals who then sell them for a profit isn’t anything new. However, when a huge batch like that one spotted by Gemini Advisory recently is sold, it’s worth looking into it more thoroughly. According to the relevant report, in February 2021, someone sold 895,000 stolen gift cards for a buy-now price of only $20,000.
Following a successful transaction, the same cybercriminal sold 330,000 payment cards with full cardholder name details, CVV codes, expiration date, card number, bank name, etc. That second batch was sold for just $15,000, and it was purchased within a couple of days.
Following an analysis of the data that was offered for purchase, Gemini Advisory concluded that the credit cards came from a breach on the online gift card shop ‘Cardpool.com.’ The evidence suggests that the breach lasted between February 4, 2019, and August 4, 2019, a period during which the actors were actively exfiltrating card details, probably by means of a skimmer planted on the now-defunct platform. About 85% of the visitors of Cardpool.com were residents of the United States, so the recently sold card set mainly affects Americans.
The seller chose not to disclose the source of the gift cards. Still, the listing mentions 3,000 brands, including Airbnb, Amazon, American Airlines, Chipotle, Dunkin Donuts, Marriott, Nike, Subway, Target, and Walmart. The total redemption value of the entire gift card package is estimated to be $38,000,000, which is nowhere near the selling price.
Possibly, the actor stole these cards directly from the database of Cardpool.com after gaining access to the backend of the platform. Gemini believes this is also another possible explanation of how credit card CVV data was exfiltrated, too, if a skimmer wasn’t used after all.
The criminal appeared to be well-versed with the Russian language, and according to the researchers, the user is very active on top and mid-tier dark web forums since 2010. He has previously sold stolen card data, entire database dumps, and the PII of United States residents, so he seems to have a preference or focus if you like.
We have recently advised you not to buy gift cards from online shops, especially right before or during holidays when the hacking activity spikes. The sector is just too vulnerable and generally untrustworthy, so it’s really not worth risking your credit card details. The Cardpool.com incident is just another case that highlights the fact.