04-10-2021 , 06:26 PM
The hacking spree targeting underground marketplaces has claimed another victim as a database from card shop Swarmshop emerged on another forum.
By the looks of it, the leak contains the records of the entire Swarmshop community along with all the stolen card data traded on the forum.
Full data dump
Details about the hack remain unknown but the leak exposes 12,344 records with nicknames, hashed passwords, contact details, activity history of Swarmshop administrators, sellers, and buyers.
Researchers at cybersecurity company Group-IB discovered that the leak occurred on March 17, a day before Carding Mafia suffered a breach that exposed email addresses of close to 300,000 members.
According to Group-IB, the Swarmshop dump includes details from 623,036 payment cards issued by banks in the U.S., Canada, U.K., China, Singapore, France, Brazil, Saudi Arabia, and Mexico.
The researchers also found “498 sets of online banking account credentials and 69,592 sets of US Social Security Numbers and Canadian Social Insurance Numbers.”
Whoever breached Swarmshop did not give any information about the hack and just dropped a message with a link to the database.
Initially, the card shop administrators argued that the data was from a previous breach in January 2020, when a hacker tried to sell the forum’s user database. Members were asked to change their passwords, though.
Group-IB analyzed the latest dump and determined that it was new, based on the most recent user activity timestamps.
“In total, the databased revealed the records of 4 cardshop admins, 90 sellers, and 12,250 buyers of stolen data, including their nicknames, hashed passwords, account balance, and contact details for some entries” - Group-IB
Swarmshop is a relatively new carding forum operating since at least April 2019. By March 2021, it attracted more than 12,000 users and had data from over 600,000 payment cards on sale.
Not an isolated incident
March seems to have been a bad month for underground forums, Swarmshop being the third one hacked in this timeframe.
At the beginning of the month, BleepingComputer reported that Maza (or Mazafuka) - one of the oldest Russian-speaking hacker forums - had been attacked and had its member data leaked.
Since the beginning of the year, other communities in the same business had the same fate. The person tipping us about Maza also shared screenshots of posts about attacks on Verified, Dread, and Club2Crd.
On February 15, the Verified administration lost control of the site to unknown operators who had exploited a vulnerability.
A day later, a super-moderator of Club2Crd announced that their account had been hijacked to scam forum members and steal their money.
The same month, Dread was the target of multiple attacks, and the administrator forced new security measures to prevent further disruptions.
Dmitry Volkov, Group-IB CTO, says that card shop breaches are uncommon. With Swarmshop, the assumption is that it was the target of a revenge hack that caused all sellers to lose their goods and personal data.
Source