Over 1 million South Korea-issued Card Present records have been posted for sale on the dark web since the end of May, Gemini Advisory says.
The security firm could not pinpoint the exact compromised point of purchase (CPP), but believes the records may have been obtained either from a breached company operating several different businesses or from a compromised point-of-sale (POS) integrator.
Amid an increase in attacks targeting brick-and-mortar and e-commerce businesses in the Asia Pacific (APAC) region, South Korea emerges as the largest victim of Card Present (CP) data theft by a wide margin, Gemini Advisory says.
Although EMV chips have been used in the country since 2015 and compliance is mandatory since July 2018, CP fraud still frequently occurs, especially due to poor merchant implementation.
In May 2019, Gemini Advisory found 42,000 compromised South Korea-issued CP records posted for sale on the dark web, with a 448% spike in June, when 230,000 records were observed. In July, there were 890,000 records posted, marking a 2,019% increase from May.
Overall, more than 1 million compromised South Korea-issued CP records have been posted for sale on the dark web since May 29, 2019.
The security firm also identified 3.7% US-issued cards, with a credit union that primarily serves the US Air Force emerging as one of the most impacted US financial institutions (the Air Force maintains multiple air bases in South Korea).
“Through an in-depth analysis of the compromised cards, analysts determined that many of them belong to US cardholders visiting South Korea. Since South Korea has received just over 1 million US travelers in the past 12 months, this should account for the high level of US payment records,” Gemini Advisory says.
The median price per record is $40, significantly higher than the $24 median price of South Korean CP records across the dark web overall, the security firm notes. While 2018 marked a relatively large supply of such records, but a low demand, 2019 saw lower supply, but a growing demand.
“The demand continued to increase while the supply remained stagnant until the recent spike in South Korean records from June until the present. This sudden influx in card supply may be highly priced in an attempt to capitalize on the growing demand,” Gemini Advisory notes.
The security firm says attempts to explore potential CPPs were not fruitful, as there were too many possible businesses affected by this breach. The most likely scenarios suggest that either a large business was compromised, or that a POS integrator was breached, impacting multiple merchants.
“South Korea’s high CP fraud rates indicate a weakness in the country’s payment security that fraudsters are motivated to exploit. As this global trend towards increasingly targeting non-Western countries continues, Gemini Advisory assesses with a moderate degree of confidence that both the supply and demand for South Korean-issued CP records in the dark web will likely increase,” the security firm concludes.
Related: A Crash-Course in Card Shops