The Truth Behind Joker's Stash / Wawa Announcement
Over the past two weeks, all the leading news agency have reported that the millions of credit cards stolen at Wawa’s stores in the United States in 2019 have been put on sale on the dark web. While accurate in many ways, the news reports would benefit from a few corrections.
Wawa’s stolen cards have probably been on the market for months, not days
Malicious actors were in Wawa’s payment system between March 4th 2019 and December 12th 2019.
It would make very little sense for them to hold on to the stolen financial information for the entire 283 days their hack was active. Many cards they collected during that period expired and became worthless unless sold right away.
Moreover, offering for sale all the cards stolen from a single payment system at the same time increases the odds of the fraud being detected and that cards are cancelled. It makes much more sense to sell the cards in multiple small batches, mixed with other cards stolen at different locations. Identifying the origin of the stolen cards and detecting fraud becomes much more difficult for a bank when using that strategy.
Carding sites don’t wait for a hacks’ news report to sell their cards
There are countless platforms advertising the sale of stolen credit cards and all are competing for the same business. Making claims about the release of a large credit card dump is more about generating publicity and buzz around a platform than an actual new threat for the victims of the hack.
The news reports by CBS news, the Washington Post, Bloomberg and KrebsOnSecurity mention the Joker’s Stash name and establish that name as a reference in the community of stolen financial information dealers.
Joker’s Stash simply banks on the notoriety of large and public data breach to grow their reputation. The news report have nothing to do with the actual sale of the stolen cards.
Wawa’s cards are NOT only sold on the dark web
Joker’s Stash, the site advertising the stolen credit cards, is indeed available on the dark web, the anonymous communication channel typically used by malicious actors to buy and sell stolen financial information. It is however also available on the regular internet as shown in the screenshot below.
It is a little-known fact that many of the sites hosted on the dark web are also available on the regular internet. Malicious actors want to attract the largest number of buyers for their stolen financial information and limiting themselves to dark web buyers makes no sense when large quantities of stolen financial information is put up for sale.
The credit cards were not sold for only $17 each
The price of stolen credit card sold online often seems to make no sense. Why would someone sell a credit card information for USD$17 when it could be used to purchase thousands of dollars of products online? In their seminal paper titled Nobody Sells Gold for the Price of Silver, Herley and Florencio argue that there exists a two-tier underground economy where unorganized and isolated malicious actors are manipulated by organized gangs, who alone turn a profit from dealing in stolen credit cards.
In Wawa’s case, the USD$17 price point suggests that the credit cards were sold a first time over the course of 2019 in small batches, by organized gangs to a limited circle of malicious actors. When news broke about Wawa’s hack on December 19 2019, the sale of Wawa credit cards probably slowed or stopped, only to be resumed on Joker’s Stash the following month at a discounted price given their now tainted nature.
While the USD$17 is not as low as the estimates from previous studies, it is on the low-end of stolen credit card advertised online and suggests that the value of these cards is not in the fraud they enable but in the publicity they bring to Joker’s Stash.
Want to make sure that your company is not targeted by malicious actors? Contact our team for a demo of our Firework product that monitors data breaches in real time and reduces the time to detection of data breaches from more than 3 months to a matter of hours or days.