Data from 1,700 credit cards stolen from e-commerce sites

From January to August 2019, the details of 26,102 payment cards issued by Singapore banks were found by locally based cyber-security firm Group-IB to be for sale on the Dark Web.
From January to August 2019, the details of 26,102 payment cards issued by Singapore banks were found by locally based cyber-security firm Group-IB to be for sale on the Dark Web.PHOTO ILLUSTRATION: ST FILE

A skimming software is said to have infected multiple e-commerce websites frequented by Singaporeans, resulting in the data of more than 1,700 credit cards being stolen and sold on the Dark Web in a single database, in one of the biggest cases here.

Singapore-based cyber-security firm Group-IB said this database was one of many linked to 26,102 payment cards issued by Singapore banks that it found sold on the Dark Web from January to last month. The estimated underground value of the cards was US$1.8 million (S$2.5 million).

The firm said skimmers used the malicious software to intercept payment card details on infected websites, and then sold the data on the Dark Web - a part of the Internet accessible only via special software which allows users to remain anonymous or untraceable.

Group-IB said the case involving the stolen details of 1,726 cards was significant because, on average, the number of compromised Singapore-linked credit cards uploaded in a single database onto the Dark Web rarely exceeded several hundred, based on its review period of January to last month.

The firm declined to reveal which websites were infected, but said they were frequented by Singaporeans and were based both locally and overseas.

A 2017 study by online saving platform Flipit showed that three in five Singaporeans shop online.

Group-IB said that the data-base in question was named «31.03-SG_MIX_SNIFF», which suggested that the malware called JavaScript-sniffers (JS-sniffers) was used. The malware acts as the digital equivalent of a traditional credit card skimmer - a small device installed on automated teller machines to intercept bank card details. JS-sniffers can intercept different types of payment and other personal details.

Group-IB said: "Usually, a few lines of code injected into websites can capture data entered by customers, such as payment card numbers, names, addresses, passwords. A multi-linked chain of victims of JS-sniffers includes online shoppers, online stores, payment systems and banks.

"Quite often, neither a customer nor a website owner can detect the activity of JS-sniffers."

A report that Group-IB issued in April said JS-sniffers had infected 2,440 websites globally. JS-sniffers are capable of injecting fake Web forms - made to look like legitimate payment forms from firms such as PayPal and Stripe - in order to steal customer payment data from online stores.


The Monetary Authority of Singapore (MAS) said it monitors cyber threats and attacks that result in payment card fraud. Security vendors have reported an increase in data theft cases globally - including those involving the loss of card details from compromised e-commerce websites, it added.

"MAS requires financial institutions in Singapore to implement information technology controls to protect sensitive information from unauthorised disclosure," said a spokesman.

Mr Bryan Tan, a lawyer from Pinsent Masons MPillay who specialises in technology law and data protection, said that when data theft has taken place, the data owner might not realise it right away as bad actors might not be making use of the data yet.

Mr K.K. Lim, head of cyber security, privacy and data protection at law firm Eversheds Harry Elias, said that on the Dark Web, the buying process is hidden, and so those whose details have been stolen might not be aware of it.

Group-IB advises online shoppers to be cautious by, for example, using a separate card exclusively for online purchases, or using a card with a stored value.

Its founder and chief executive Ilya Sachkov said: "The administrators of e-commerce websites, for their part, need to keep their software updated, carry out regular cyber-security assessments of their websites and not hesitate to seek assistance from specialists."

A version of this article appeared in the print edition of The Straits Times on September 25, 2019, with the headline 'Data from 1,700 credit cards stolen from e-commerce sites'. Subscribe