Credit Card Data Exposed Online Is Tested Within 2 Hours

Be it fake or real, payment card data does not survive untouched for long on the web, a recent experiment showed. The bad guys are testing everything they find on the internet, just to make sure they don't miss an opportunity to cash in.

From the moment it landed on several paste sites, it took two hours for data from a Visa card to be used for a micro-transaction, just to check it's validity.

The small purchase test

Carried out with a prepaid card, the purpose of the test was to observe how information travels on the internet and its underground sites.

Over the past two years, fraudsters tried four times to use David Greenwood's credit card. This sparked an interest in the researcher from ThreatPipes to learn how information is distributed over the internet and its dark corners.

After getting an anonymous Visa prepaid card, the researcher tried to sell the data directly on the dark web only to find himself banging on a door that no one answers to.

So he decided to go with plan B and give it away for free. In a package with fake card numbers, he slipped in the details for his prepaid Visa, which included expiration dates, CVV code, and billing address.

Nothing happened for two hours. Then, the researcher's card recorded a micro-transaction designed to check if the data was valid. These tests are typically automatic, carried out by bots specifically built for this task.

Bots are actively scanning the internet and running tests to see if the data they encountered is good or burnt. They can be adjusted to scour the web for the type of information fraudsters or cybercriminals are looking for.

Sensitive data can be anything, not just card details. In an experiment in 2017, SANS Technology Institute member Johannes Ullrich found that bots connected every two minutes to a DVR system exposed on the internet with its factory configuration.