Tämän sivun sisältöä ei valitettavasti voida näyttää valitsemallasi kielellä.



Tilasi: Tuntematon

Siirry pääsisältöön

Malware shakes up the payment card market

  • Malware is becoming a more common tool for stealing payment details.

  • For hackers, buying malware is as easy as shopping online.

  • 99% of stolen cards include additional information (like autofill data).

key visual payment cards

Malware: The weapon of choice for payment card thieves

Payment card theft puts millions of users at risk. With most of us taking strict measures to keep our payment information safe, how do cybercriminals manage to get hold of it? And, most importantly, what do they do with it? 

NordStellar, a threat exposure management platform from the creators of NordVPN, reviewed data relating to 600,000 payment card details stolen by various types of malware. These details were stolen from users in various parts of the world, with the details later put up for sale on the dark web.

The worst part? The malware didn’t just steal the victims’ financial details. Most of the stolen payment info came with a big bonus for cybercriminals — the users’ autofill information and account credentials. This additional information opens doors to an even wider range of attacks — from identity theft to cyber extortion.

Malware as a service: A cybercriminal’s payday

Payment card theft is an orchestrated operation involving several stages and sophisticated tools.

  • Cybercriminals use malware as a service, or subscription-based malware tools, for information theft. They function like your regular subscription — you pay a fee, and get access to various data-stealing features.

  • Malware as a service is available to buy for as little as $150 per month from specialist dark web marketplaces.

  • The providers of malware as a service go the extra mile to support their customers. Often, the tools come with plenty of guidance, extensive user guides, and dedicated forums where newbies can get help.

  • The study shows a growing diversity in the type of malware used for payment card theft, indicating that cybercriminals may be competing to get their hands on your info.

  • However, some malware-as-a-service options are more popular than others, with most cybercriminals relying on RedLine.

type of malware used

Spotlight on RedLine — a cybercriminal’s top choice

RedLine is one of the most popular information-stealing malware types. Surfacing in March 2020, RedLine quickly became the dominant malware during the pandemic. 

The research revealed that six out of 10 payment cards (60%) were stolen using this sophisticated stealer.

What makes RedLine so dangerous?

  1. 1.

    It’s affordable. Cybercriminals can buy RedLine for as little as $100 on dark web marketplaces, making it relatively accessible.

  2. 2.

    It’s highly effective. RedLine is simple yet extremely effective. It uses modern evasion techniques, can download additional malware, and can even automatically spread itself.

  3. 3.

    It’s easy to deliver. RedLine is easy to deliver using social engineering techniques (like phishing emails and malicious attachments).

  4. 4.

    It’s ever-evolving. Just like non-malicious software, RedLine keeps improving — becoming easier to use and harder for antivirus software to detect.

  5. 5.

    It’s beginner friendly. RedLine has a well-established user base, with a dedicated Telegram channel offering plenty of support to novice cybercriminals.

Malware steals more than your card details

The study showed that malware equips cybercriminals with more than your payment card details. As many as 99% of the stolen cards included additional data, such as the victim’s name, computer files, and saved credentials.

The vast amount of data stolen from the victims opens endless possibilities for cybercriminals. Along with payment card details, these data points would allow someone to commit a series of cybercrimes — from identity theft to online blackmail.

additional data sold

Payment card theft by country

The research showed that payment card theft is rife in the US, with most of the stolen credit card details coming from American users. However, payment information theft appears to be severely impacting users in several other countries, such as Brazil, India, Mexico, and Argentina.

stolen cards by country top 5

Most of the stolen cards were Visa cards

All payment cards are at risk of theft. However, credit cards from the most popular providers may be stolen more often because more people use them. The study showed that over half (54%) of the 600,000 were Visa cards, and a third (33%) were Mastercard.

stolen cards by provider

9 ways malware infects devices

Malware can infect devices in many different ways. Here’s what you need to watch out for.

  1. 1.

    Phishing emails. These emails may trick users into clicking malicious links or downloading infected attachments.

  2. 2.

    Unpatched software. Hackers may target security vulnerabilities before they’re patched with software updates.

  3. 3.

    Malicious websites. Some unsafe websites automatically initiate a malware download when you land on them.

  4. 4.

    Shady downloads. Sometimes malware may hide in cracked games or freeware downloads.

  5. 5.

    Unsafe ads and pop-ups. Cybercriminals may show you malicious advertising designed to infect your device when you click it.

  6. 6.

    Infected USB devices. Hackers may also use USB drives to deliver malware to users’ devices (for example, when left unattended at a cafe or a library).

  7. 7.

    Juice jacking. Hackers may infect public charging stations and USB ports with malware that infects your device when you connect it.

  8. 8.

    Man-in-the-middle attacks. Some sophisticated attackers may use MITM techniques to intercept communications and inject devices with malware.

  9. 9.

    Remote code. Some hackers may exploit network protocol vulnerabilities to remotely inject and execute malware on the victim’s device.

Stolen data is sold and used — fast

Payment card thieves rarely use the stolen details themselves — they steal to sell. It’s a complex ecosystem with a regular supply and demand for stolen credentials.

  1. 1.

    Stolen card details are put up for sale on various channels, such as Telegram and dark web marketplaces like Joker’s Stash.

  2. 2.

    Fraudsters and cybercriminals may purchase these card details in bulk or buy them individually, depending on the information available. Cards with additional information are more in demand and likely to sell fast.

  3. 3.

    The unfortunate fact is that stolen data is sold and used incredibly quickly — often in a matter of hours. Cybercriminals know that the quicker they exploit the stolen payment card details, the higher the chance their fraudulent transactions will go through.

path of a hack

Build a strong defense against malware

Stopping an attack that’s already in full swing is much harder than preventing it. Boost your online security and protection against malware with these measures.

Learn to spot phishing

Phishing emails and texts are often responsible for malware infections. Knowing the most common signs of phishing is crucial.

Use NordVPN’s Threat Protection

Threat Protection is an advanced cybersecurity feature available with selected NordVPN plans. It blocks dangerous sites and scans files during download to prevent malware infections.

Use strong passwords

Creating long, complex, and unique passwords helps protect your accounts. For easy and secure password management, consider using NordPass.

Secure accounts with MFA

Setting up multi-factor authentication on your accounts adds an extra layer of security, which can prove incredibly useful if someone gets hold of your credentials.

Avoid shady downloads

Malware often lurks in unofficial downloads. Avoid downloading software, apps, or updates from unofficial sources — get them from app stores or official websites instead.

Use dark web monitoring tools

NordVPN’s Dark Web Monitor continuously scans the dark web for your credentials and sends an alert if your email appears in a leaked database.

More about the research

The research was conducted by NordStellar, a threat exposure management platform from the creators of NordVPN. NordStellar researchers analyzed stolen card data for sale on hacker Telegram channels to understand how this information was obtained.

The study reviewed various data points, such as when the incident occurred, the providers of the stolen cards, the data harvested alongside the payment card, the type of malware used, the country of the incident, and the targeted operating system (OS). The study ran in April 2024.

Please note: No individual payment card details or user credentials were accessed or purchased during this research study. The researchers only analyzed the metadata that comes with stolen data listings on specialized Telegram channels and dark web marketplaces.

Want to learn more about our digital life? Check out our other research!

Misfortune cookie? Billions of stolen cookies expose your data

Cookies keep us logged in and ensure our shopping carts remain filled while we decide what to buy. But they can also lead to identity theft, financial loss, and phishing attacks. Researchers analyzed 54 billion cookies that are for sale on the dark web to find out how they were stolen, what information they contain, and how criminals can use it for other cyberattacks.

Find out more

Mobile privacy: What do your apps want to know?

Your Android and iOS apps need phone permissions to function — but how much data is too much? We reviewed over a hundred popular apps around the world to see just how much they really want (and need) to know about you.

Find out more

Healing or hacking? Examining the hidden cost of health apps

Health apps can help us achieve peace of mind and restore our physical health. But what role does health technology play in our digital well-being? We surveyed 12,726 users worldwide to examine the use of health management apps and the unnoticed trade-off happening in the background.

Find out more