Naked Security Naked Security

Hackers hack card details from BriansClub carding site

They stole 26 million credit cards from the massive black market site, and now financial institutions are ensuring the cards can't be abused.

Hackers have hacked BriansClub, one of the biggest black market sites trafficking in stolen credit card data, whisking away the data of more than 26 million payment cards.

Security journalist Brian Krebs reported that last month, a source shared a plain text file containing what they claimed to be the full database of cards for sale, both currently and historically, at BriansClub.

That cache contains details stolen from bricks-and-mortar retailers over the past four years, including nearly eight million uploaded so far in this year alone.

Krebs reports that the data hacked out of the carder site has been shared with people who work with financial institutions that identify, monitor, or reissue compromised cards that show up for sale on criminal forums. BriansClub mostly resells cards stolen by other cybercrooks, known as resellers or affiliates, who earn a (currently undetermined) percentage from each sale, Krebs says.

As we’ve noted in the past when reporting about payment card theft, “carding” is a general term for a range of related crimes, including:

  • Stealing card numbers using skimming devices – often installed at gas stations – or data-grabbing malware installed at point-of-sale systems in restaurants or stores.
  • Buying and selling card numbers and related personal information.
  • Using illegally acquired card details for online fraud, often to buy products for cut-price resale.
  • Making fake cards, encoded with stolen data, that rack up charges against other people’s accounts.
  • Using fake cards to withdraw money from ATMs in return for a cut of the proceeds.
  • Going on spending sprees with fake cards to buy products for cut-price resale.

Krebs says that most of what’s for sale at BriansClub are strings of data that can be encoded onto anything with a magnetic stripe the size of a credit card, which can then be used to go on those fake-card spending sprees.

He calculates that with cardholder losses estimated at around $500 per card, BriansClub could have generated as much as $4 billion from the roughly nine million cards it’s sold to fraudsters since 2015.