Private details of hundreds of debit and credit cards in the UK are being leaked on the dark web every week for as little as £7, cybersecurity researchers have revealed.
In the past six months, 74,775 credit and debit cards belonging to people in Britain were put on sale on the dark web, part of the internet that is not visible to search engines and needs a special anonymising browser to use.
The cards on sale include all details necessary to make a purchase — the name on the card, the number, expiry date and CVV number — while criminals can place filters on their searches, such as looking only for a Lloyds bank debit card from England, for example.
CyberInt, the cybersecurity firm that provided the figures, said that there had been a jump in the number of cards being sold by criminals on the dark web since the pandemic, as scammers make the most of more people shopping online.
Researchers said that credit card details were stolen in multiple ways. Some popular tactics include tricking people into clicking on malicious links sent via an email or text message that puts malware on their computer and allows hackers to track keystrokes; finding security flaws in retail or banking websites that enable the theft of card details; and creating replica sites of a legitimate website.
UK Finance, the trade body for British banks, warned last month that the amount of “smishing” text messages claiming to be from parcel delivery firms was surging. These claim that a courier has been unable to make a delivery and asks the recipient to pay a fee or to provide additional details in order to rearrange. There is then a link to a website that will look like part of the delivery firm’s site asking for personal and financial information.
Reuben Braham, a vice-president at CyberInt, said: “Credit card theft has always been bad, but with coronavirus it’s getting a lot worse as people are making a lot more transactions online, so it becomes easier to get these card details. It’s only increasing.”
CyberInt, which is based in Tel Aviv, uses a special tool that it has created to monitor the sale of stolen credit cards.
In the United States, 484,745 cards have been leaked and put up for sale on the dark web in the past 180 days, while globally the total is 1.8 million cards.
The average cost of a debit or credit card typically ranges from $10 to $20 (£7 to £15), according to CyberInt, with criminals often selling dozens in one go, with the purchase usually made in cryptocurrencies.
Noam Kehati, a researcher at CyberInt, said that the cards being sold would come with details such as which country it had been stolen from, what bank issued it, and how much money was on the card. She added: “In some of the markets [on the dark web], there is someone managing the whole marketplace to see that the transactions are fair and everyone is getting their right share.”
Last week the largest dark web marketplace of stolen credit cards said that it was shutting down. UniCC, which has made $358 million since 2013 in fees from the sale of stolen payment card information by its members, posted on dark web forums in Russian and English that it was retiring. Analysts expected the gap it had left in the market to be filled quickly