The credit card details of multiple Australian businesses could potentially be for sale via an online marketplace on the “dark web”.
The dark web is a part of the internet inaccessible through normal web browsers, instead requiring specialised software which ensures a high level of anonymity. It is due to this anonymity that the dark web is popular for vendors selling anything from illicit drugs to firearms, including scammed credit card details.
SmartCompany understands there is a listing on a popular dark web marketplace purporting to be selling credit card details of Australian businesses. This comes in the same week as The Guardian revealed a trader was selling Medicare details online, sparking an Australian Federal Police investigation into the way the card information was obtained.
The listing for business credit cards claims the details of the credit cards stem from a “company operating in Melbourne” offering services to “high-level clients”. The details are provided in the form of a “scanned PDF payment receipt”, and claim to include information like the billing addresses and full card details.
The seller claims buyers will receive the details of a “random Australian business” with the cards themselves being “mostly Amex/corporate”. The listing says card with an invoice amount of $500 to $2500 can be purchased for $US30.28 ($39.78) in a digital currency such as Bitcoin.
The vendor claims they have sold 14 of these credit cards since the June 17. Much like other online marketplaces, buyers can leave feedback, with the seller seemingly receiving eight pieces of positive feedback since June 19.
“Great quality. You are the best!” one piece of feedback reads.
The AFP has initiated an investigation into the seller’s acquisition of Australian’s Medicare details, but it is unknown if it will also pursue the possibility that business credit card details could also be vulnerable to sale on these types of dark web marketplaces.
SmartCompany contacted the Australian Federal Police and was referred to the Australian Cyber Security Centre. The Australian Cyber Security Centre did not respond prior to publication.
Credit card information sale threat not new
Cyber security expert at Sense of Security Michael McKinnon told SmartCompany the selling of credit card details on the dark web is “not terribly new”, and speculates any credit card details that are sold through the dark web could have been obtained through compromised e-commerce or online services website.
“This happens to businesses who have an e-commerce website that gets hacked, but the hacker keeps quiet about it and the business never finds out,” he says.
“The hacker then modifies the code involved with capturing credit card data, and silently exfiltrates the card details as purchases are being made.”
McKinnon believes the slow drain approach is beginning to be used by criminals more and more as large data breaches become better reported and controlled. While he acknowledges Australian banks “underwrite the risks” when it comes to credit card fraud, the situation poses a number of issues for businesses: Both those running online stores and those using them.
“Businesses running an e-commerce website need to know their website is not immune to being hacked. If a customer or your bank taps you on the shoulder and tells you they’ve seen fraudulent transactions after dealing with your website, you need to take action,” he says.
“Reports have shown 40% of credit card breaches are notified to businesses by external parties, but there are a lot of cases where businesses will dismiss it. Keep your ears open.”
For businesses on the receiving end of credit card fraud, although banks will often investigate and provide a chargeback for the transactions, McKinnon warns this can take up to 45 days, causing unwanted disruptions for businesses.
Additionally, fraudulent activity could cause a “lot more scrutiny” from the banks, with McKinnon saying business merchant accounts implicated with cyber crime is “the last thing you want”.
McKinnon advises vigilance for both e-commerce website operators and businesses themselves, recommending SME owners keep an eagle eye on their credit card statements, and quickly report any fraudulent activity.